EUVD-2025-208717

| CVE-2025-69246 MEDIUM
2026-03-16 CERT-PL
6.9
CVSS 4.0
Share

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None

Lifecycle Timeline

3
Analysis Generated
Mar 16, 2026 - 12:00 vuln.today
EUVD ID Assigned
Mar 16, 2026 - 12:00 euvd
EUVD-2025-208717
CVE Published
Mar 16, 2026 - 11:54 nvd
MEDIUM 6.9

Tags

Information Disclosure Raytha

Description

Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6.

Analysis

Raytha CMS lacks brute force protection mechanisms, allowing attackers to conduct unlimited automated login attempts without triggering account lockout, rate limiting, or multi-factor authentication challenges. Versions prior to 1.4.6 are affected, and an attacker can systematically enumerate valid usernames and crack passwords through high-volume credential stuffing attacks. The vulnerability represents a significant authentication bypass risk that could lead to unauthorized administrative access depending on password strength and user enumeration feasibility.

Technical Context

This vulnerability falls under CWE-307 (Improper Restriction of Rendered UI Layers or Frames), which encompasses authentication control weaknesses including the absence of brute force protections. Raytha CMS, a content management system, implements user authentication without implementing industry-standard defensive measures such as account lockout after failed attempts, exponential backoff delays, CAPTCHA challenges, or IP-based rate limiting. The root cause is insufficient input validation and state management in the authentication handler, allowing the application to process unlimited login requests in rapid succession without any throttling mechanism or consecutive failure tracking per user account or source IP.

Affected Products

Raytha CMS versions prior to 1.4.6 are affected by this brute force vulnerability. The specific affected version range includes all releases before 1.4.6, though exact lower-bound versioning is not specified in available intelligence. Organizations running Raytha CMS should verify their installed version and upgrade immediately to 1.4.6 or later to obtain the fix that implements brute force protection mechanisms.

Remediation

Upgrade Raytha CMS to version 1.4.6 or later immediately, as this version includes implemented brute force protection. Prior to patching, implement compensating controls: enforce account lockout policies at the application or reverse proxy level using tools like ModSecurity or Fail2ban to block IPs after five failed login attempts within a 15-minute window, enable MFA for all administrative accounts to reduce the impact of credential compromise, implement rate limiting at the reverse proxy level (e.g., 5 requests per minute per IP), and monitor authentication logs for suspicious patterns. If an on-premises deployment, restrict administrative access to known IP ranges via firewall rules and consider implementing a WAF with built-in brute force detection rules.

Priority Score

35
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +34
POC: 0

Share

EUVD-2025-208717 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy