E Bok
Monthly
Unlimited brute-force attacks against KTM System e-BOK user accounts are enabled by the complete absence of login rate limiting, account lockout, or authentication throttling on the portal's login endpoint. All versions prior to the June 2026 patch are affected, with the risk materially amplified by companion vulnerability CVE-2026-35097, which constrains passwords to a six-digit numeric format - reducing the effective keyspace to 1,000,000 combinations and making full exhaustion feasible with standard tooling in minutes to hours. No public exploit code or CISA KEV listing has been identified at time of analysis, but the combination of these two flaws represents a near-trivially exploitable account takeover path against any e-BOK deployment where both vulnerabilities are present.
KTM System e-BOK enforces a system-wide password policy that restricts all user credentials to exactly six numeric digits, prohibiting alphabetic, special, or extended characters and producing a maximum keyspace of only 1,000,000 possible values (10^6). This CWE-521 (Weak Password Requirements) flaw enables remote unauthenticated brute-force attacks against any customer account, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). No public exploit code or CISA KEV listing exists, but the trivial keyspace means no specialized tooling is required - standard credential automation suffices. CERT-PL reported the issue; a vendor patch was published in June 2026.
CSRF flaws in KTM System e-BOK's email-change and password-change endpoints allow any remote, unauthenticated attacker to trigger account credential changes on behalf of an authenticated victim by luring them to a malicious web page. Reported by CERT-PL, the vulnerabilities affect all e-BOK versions prior to the June 2026 patch and carry a CVSS 4.0 score of 5.1 (Medium). No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is trivially constructable given the well-understood CSRF class and the public CERT-PL advisory.
Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Unlimited brute-force attacks against KTM System e-BOK user accounts are enabled by the complete absence of login rate limiting, account lockout, or authentication throttling on the portal's login endpoint. All versions prior to the June 2026 patch are affected, with the risk materially amplified by companion vulnerability CVE-2026-35097, which constrains passwords to a six-digit numeric format - reducing the effective keyspace to 1,000,000 combinations and making full exhaustion feasible with standard tooling in minutes to hours. No public exploit code or CISA KEV listing has been identified at time of analysis, but the combination of these two flaws represents a near-trivially exploitable account takeover path against any e-BOK deployment where both vulnerabilities are present.
KTM System e-BOK enforces a system-wide password policy that restricts all user credentials to exactly six numeric digits, prohibiting alphabetic, special, or extended characters and producing a maximum keyspace of only 1,000,000 possible values (10^6). This CWE-521 (Weak Password Requirements) flaw enables remote unauthenticated brute-force attacks against any customer account, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). No public exploit code or CISA KEV listing exists, but the trivial keyspace means no specialized tooling is required - standard credential automation suffices. CERT-PL reported the issue; a vendor patch was published in June 2026.
CSRF flaws in KTM System e-BOK's email-change and password-change endpoints allow any remote, unauthenticated attacker to trigger account credential changes on behalf of an authenticated victim by luring them to a malicious web page. Reported by CERT-PL, the vulnerabilities affect all e-BOK versions prior to the June 2026 patch and carry a CVSS 4.0 score of 5.1 (Medium). No public exploit code or CISA KEV listing has been identified at time of analysis, but the attack is trivially constructable given the well-understood CSRF class and the public CERT-PL advisory.
Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.