Cyber Resilience

CVE-2024-41276

Critical

Published: 01 October 2024

Published
01 October 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1356 94.4th percentile
Risk Priority 28 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-41276 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-41276 affects Kaiten versions 57.131.12 and earlier. The vulnerability stems from insufficient request limiting around the post-login 6-digit PIN verification step, where a code is emailed to the user. This flaw, classified under CWE-307, permits trivial bypass of rate controls and enables brute-force guessing of the PIN without any prior authentication.

An unauthenticated attacker who knows or can obtain valid login credentials can repeatedly submit PIN guesses until the correct value is found, resulting in full unauthorized access to the application. The CVSS 9.8 score reflects the network-accessible, low-complexity nature of the attack and its impact on confidentiality, integrity, and availability.

The accompanying GitHub reference provides a proof-of-concept, while the vendor site at kaiten.ru offers no public mitigation details in the supplied references. The EPSS score has remained flat at 0.1356 with no observed rise after disclosure.

EU & UK References

Vulnerability details

A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the…

more

request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Kaiten
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References