CVE-2025-8118
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2025-11-26

Assigner: CERT.PL

Description
PAD CMS implements weak client-side brute-force protection by utilizing two cookies:  login_count and login_timeout. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting those cookies. This issue affects all 3 templates: www, bip and www+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2025-11-26
Generated
2026-06-16
AI Q&A
2025-09-30
EPSS Evaluated
2026-06-15
NVD
CVE-2025-8118
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
widzialni pad_cms to 1.2.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in PAD CMS is due to weak client-side brute-force protection. The system uses two cookies, login_count and login_timeout, to track login attempts and timeout periods, but this information is not stored on the server. Because of this, an attacker can reset these cookies to bypass the brute-force protection mechanism and repeatedly attempt to guess passwords without restriction.

Impact Analysis

This vulnerability allows an attacker to bypass brute-force protections and potentially gain unauthorized access to user accounts by repeatedly attempting passwords without being blocked or delayed. This can lead to account compromise, unauthorized data access, and potential further exploitation of the system.

Mitigation Strategies

Since PAD CMS is End-Of-Life and no patches will be published, immediate mitigation steps include disabling or restricting access to the affected login functionality, implementing server-side brute-force protections such as rate limiting or IP blocking, and monitoring for suspicious login attempts. Additionally, consider migrating to a supported CMS platform to avoid unpatched vulnerabilities.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8118. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart