Skip to main content

Brute Force EUVDEUVD-2025-18211

| CVE-2025-5485 HIGH
Observable Response Discrepancy (CWE-204)
2025-06-12 ics-cert@hq.dhs.gov
8.6
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 21:20 euvd
EUVD-2025-18211
Analysis Generated
Mar 14, 2026 - 21:20 vuln.today
CVE Published
Jun 12, 2025 - 20:15 nvd
HIGH 8.6

DescriptionCVE.org

User names used to access the web management interface are limited to the device identifier, which is a numerical identifier no more than 10 digits. A malicious actor can enumerate potential targets by incrementing or decrementing from known identifiers or through enumerating random digit sequences.

AnalysisAI

User enumeration vulnerability affecting web management interfaces where usernames are limited to device identifiers (10-digit numerical values). An unauthenticated remote attacker can enumerate valid user accounts by systematically testing digit sequences, potentially gaining information disclosure and limited system manipulation capabilities. The CVSS 8.6 rating reflects high confidentiality impact, though patch status and active exploitation details require vendor-specific assessment.

Technical ContextAI

This vulnerability is rooted in CWE-204 (Observable Discrepancy / Information Exposure Through Discrepancy), where the authentication mechanism exhibits detectable differences between valid and invalid usernames. The underlying issue stems from poor username entropy combined with weak or absent enumeration protection mechanisms (rate limiting, account lockout delays, response time analysis resistance). Devices using sequential or predictable numerical identifiers as sole authentication credentials create a trivial enumeration surface. The web management interface likely lacks protections such as: constant-time response comparisons, progressive delays on failed attempts, CAPTCHA challenges, or account lockout policies. This is compounded by the 10-digit maximum constraint (~1 billion possible values), making brute-force enumeration computationally feasible.

RemediationAI

Immediate remediation steps: (1) Contact vendor for patches addressing enumeration protection; (2) Apply vendor-supplied firmware updates when available—specifics depend on device manufacturer; (3) Interim mitigations: restrict management interface access via firewall rules limiting source IP ranges, implement WAF/IDS rules detecting sequential authentication attempts, enforce rate limiting on login endpoints, implement account lockout after failed attempts; (4) Administrative controls: disable default/predictable device identifiers where possible, require strong supplementary authentication (MFA), monitor authentication logs for enumeration patterns; (5) Architectural: network segmentation isolating management interfaces to trusted administrative networks. Vendors should implement enumeration defenses: constant-time username validation, progressive delays, CAPTCHAs, and consider randomized or longer usernames.

CVE-2012-2441 HIGH POC
8.5 Apr 28

RuggedCom Rugged Operating System (ROS) before 3.3 has a factory account with a password derived from the MAC Address fi

CVE-2024-42850 CRITICAL POC
9.8 Aug 16

An issue in the password change function of Silverpeas v6.4.2 and lower allows for the bypassing of password complexity

CVE-2025-28200 CRITICAL POC
9.8 May 09

Victure RX1800 EN_V1.0.0_r12_110933 was discovered to utilize a weak default password which includes the last 8 digits o

CVE-2025-28389 CRITICAL POC
9.8 Jun 13

Critical authentication bypass vulnerability in OpenC3 COSMOS v6.0.0 caused by weak password requirements that enable br

CVE-2025-63747 CRITICAL POC
9.8 Nov 17

QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immedia

CVE-2023-37756 CRITICAL POC
9.8 Sep 14

I-doit pro 25 and below and I-doit open 25 and below employ weak password requirements for Administrator account creatio

CVE-2023-2160 CRITICAL POC
9.8 Apr 18

Weak Password Requirements in GitHub repository modoboa/modoboa prior to 2.1.0. Rated critical severity (CVSS 9.8), this

CVE-2023-2106 CRITICAL POC
9.8 Apr 15

Weak Password Requirements in GitHub repository janeczku/calibre-web prior to 0.6.20. Rated critical severity (CVSS 9.8)

CVE-2023-1753 CRITICAL POC
9.8 Mar 31

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.12. Rated critical severity (CVSS 9.8), t

CVE-2022-44236 CRITICAL POC
9.8 Dec 15

Beijing Zed-3 Technologies Co.,Ltd VoIP simpliclty ASG 8.5.0.17807 (20181130-16:12) has a Weak password vulnerability. R

CVE-2022-3754 CRITICAL POC
9.8 Oct 29

Weak Password Requirements in GitHub repository thorsten/phpmyfaq prior to 3.1.8. Rated critical severity (CVSS 9.8), th

CVE-2022-3268 CRITICAL POC
9.8 Sep 22

Weak Password Requirements in GitHub repository ikus060/minarca prior to 4.2.2. Rated critical severity (CVSS 9.8), this

Share

EUVD-2025-18211 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy