CVE-2025-35041
BaseFortify
Publication date: 2025-09-22
Last updated on: 2025-12-19
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| airship.ai | acropolis | to 10.2.35 (exc) |
| airship.ai | acropolis | From 11.0.0 (inc) to 11.0.21 (exc) |
| airship.ai | acropolis | From 11.1.0 (inc) to 11.1.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-307 | The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Airship AI Acropolis allows an attacker who has valid user credentials to attempt unlimited Multi-Factor Authentication (MFA) codes for 15 minutes after login. Specifically, the attacker can brute-force the 6-digit MFA code during this time window, bypassing normal MFA attempt limits.
How can this vulnerability impact me? :
The vulnerability can allow a remote attacker with valid credentials to bypass MFA protections by brute-forcing the 6-digit MFA code within 15 minutes after login. This can lead to unauthorized access to user accounts, potentially compromising sensitive data and system integrity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately update Airship AI Acropolis to one of the fixed versions: 10.2.35, 11.0.21, or 11.1.9. Until the update is applied, consider restricting access to the system, monitoring for unusual MFA attempts, and enforcing additional security controls to limit brute-force attempts on the 6-digit MFA code.