CVE-2025-35041
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-22

Last updated on: 2025-12-19

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-22
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-09-22
EPSS Evaluated
2026-06-15
NVD
CVE-2025-35041
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
airship.ai acropolis to 10.2.35 (exc)
airship.ai acropolis From 11.0.0 (inc) to 11.0.21 (exc)
airship.ai acropolis From 11.1.0 (inc) to 11.1.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Airship AI Acropolis allows an attacker who has valid user credentials to attempt unlimited Multi-Factor Authentication (MFA) codes for 15 minutes after login. Specifically, the attacker can brute-force the 6-digit MFA code during this time window, bypassing normal MFA attempt limits.

Impact Analysis

The vulnerability can allow a remote attacker with valid credentials to bypass MFA protections by brute-forcing the 6-digit MFA code within 15 minutes after login. This can lead to unauthorized access to user accounts, potentially compromising sensitive data and system integrity.

Mitigation Strategies

To mitigate this vulnerability, immediately update Airship AI Acropolis to one of the fixed versions: 10.2.35, 11.0.21, or 11.1.9. Until the update is applied, consider restricting access to the system, monitoring for unusual MFA attempts, and enforcing additional security controls to limit brute-force attempts on the 6-digit MFA code.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-35041. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart