CVE-2025-8118
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-8118, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-09-30

Last updated on: 2025-11-26

Assigner: CERT.PL

Description

PAD CMS implements weak client-side brute-force protection by utilizing two cookies:  login_count and login_timeout. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting those cookies. This issue affects all 3 templates: www, bip and www+bip. This product is End-Of-Life and producent will not publish patches for this vulnerability.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-09-30
Last Modified
2025-11-26
Generated
2026-07-06
AI Q&A
2025-09-30
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
widzialni pad_cms to 1.2.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in PAD CMS is due to weak client-side brute-force protection. The system uses two cookies, login_count and login_timeout, to track login attempts and timeout periods, but this information is not stored on the server. Because of this, an attacker can reset these cookies to bypass the brute-force protection mechanism and repeatedly attempt to guess passwords without restriction.

Impact Analysis

This vulnerability allows an attacker to bypass brute-force protections and potentially gain unauthorized access to user accounts by repeatedly attempting passwords without being blocked or delayed. This can lead to account compromise, unauthorized data access, and potential further exploitation of the system.

Mitigation Strategies

Since PAD CMS is End-Of-Life and no patches will be published, immediate mitigation steps include disabling or restricting access to the affected login functionality, implementing server-side brute-force protections such as rate limiting or IP blocking, and monitoring for suspicious login attempts. Additionally, consider migrating to a supported CMS platform to avoid unpatched vulnerabilities.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-8118. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart