CVE-2025-23368
Published: 04 March 2025
Description
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Security Summary
CVE-2025-23368, published on 2025-03-04, is a vulnerability in the Wildfly Elytron integration. The affected component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, rendering it more susceptible to brute force attacks via CLI. It carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H) and maps to CWE-307: Improper Restriction of Excessive Authentication Attempts.
Remote network attackers can exploit this flaw without requiring privileges or user interaction, although it demands high attack complexity. By conducting brute force attacks against the CLI authentication mechanism, attackers can potentially gain unauthorized access, resulting in high impacts to confidentiality, integrity, and availability.
Mitigation details are available in the Red Hat security advisory at https://access.redhat.com/security/cve/CVE-2025-23368 and the associated Bugzilla entry at https://bugzilla.redhat.com/show_bug.cgi?id=2337621.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is a lack of rate limiting on authentication attempts in the Wildfly Elytron CLI mechanism, directly enabling brute force attacks (T1110) to obtain unauthorized access.