CVE-2025-42615
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-08

Last updated on: 2025-12-08

Assigner: ENISA

Description
In affected versions, vulnerability-lookup did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the account to be locked or generating any specific alert for administrators. This lack of rate-limiting and lockout on OTP failures significantly lowers the cost of online brute-force attacks against 2FA codes and increases the risk of successful account takeover, especially if OTP entropy is reduced (e.g. short numeric codes, user reuse, or predictable tokens). Additionally, administrators had no direct visibility into accounts experiencing repeated 2FA failures, making targeted attacks harder to detect and investigate. The patch introduces a persistent failed_otp_attempts counter on user accounts, locks the user after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces an account lockout policy for OTP brute-force attempts and improves monitoring capabilities for suspicious 2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-08
Last Modified
2025-12-08
Generated
2026-05-07
AI Q&A
2025-12-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-42615
EUVD
EUVD-2025-201703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
vulnerability-lookup vulnerability-lookup 2.18.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Vulnerability-Lookup before version 2.18.0 involves the lack of tracking or limiting failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA). An attacker who knows or guesses a valid username and password can submit unlimited OTP codes without triggering account lockout or alerts, making brute-force attacks on 2FA codes easier and increasing the risk of account takeover.


How can this vulnerability impact me? :

The vulnerability lowers the cost and difficulty of brute-force attacks against 2FA codes, increasing the risk that an attacker can successfully take over user accounts. Since administrators do not receive alerts or visibility into repeated failed OTP attempts, detecting and investigating targeted attacks becomes harder, potentially leading to unauthorized access and compromise of sensitive accounts.


What immediate steps should I take to mitigate this vulnerability?

Apply the patch to upgrade Vulnerability-Lookup to version 2.18.0 or later, which introduces a persistent failed_otp_attempts counter, locks user accounts after 5 invalid OTP submissions, resets the counter on successful verification, and surfaces failed 2FA attempts in the admin user list. This enforces account lockout policies and improves monitoring of suspicious 2FA activity.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart