CVE-2025-42615

Name of the Vulnerable Software and Affected Versions Vulnerability-Lookup versions prior to 2.18.0

Description The software did not track or limit failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA) verification. An attacker with a valid username and password could submit numerous OTP codes without account lockout or administrator alerts. This lack of rate-limiting and lockout reduces the cost of brute-force attacks against 2FA codes, increasing the risk of account takeover, particularly with low-entropy OTPs. Administrators lacked visibility into repeated 2FA failures, hindering detection of targeted attacks. The patch introduces a failed otp attempts counter, locks accounts after five invalid submissions, resets the counter upon successful verification, and displays failed attempts in the admin user list, improving monitoring and enforcing an account lockout policy.

Recommendations Upgrade to version 2.18.0 or later.