CVE-2024-41276
Published: 01 October 2024
Summary
CVE-2024-41276 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2024-41276 affects Kaiten versions 57.131.12 and earlier. The vulnerability stems from insufficient request limiting around the post-login 6-digit PIN verification step, where a code is emailed to the user. This flaw, classified under CWE-307, permits trivial bypass of rate controls and enables brute-force guessing of the PIN without any prior authentication.
An unauthenticated attacker who knows or can obtain valid login credentials can repeatedly submit PIN guesses until the correct value is found, resulting in full unauthorized access to the application. The CVSS 9.8 score reflects the network-accessible, low-complexity nature of the attack and its impact on confidentiality, integrity, and availability.
The accompanying GitHub reference provides a proof-of-concept, while the vendor site at kaiten.ru offers no public mitigation details in the supplied references. The EPSS score has remained flat at 0.1356 with no observed rise after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-38994
Vulnerability details
A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the…
more
request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.
Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.