Cyber Resilience

CVE-2024-57610

HighPublic PoC

Published: 06 February 2025

Published
06 February 2025
Modified
19 September 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0977 93.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57610 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Sylius Sylius. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2024-57610 is a rate limiting deficiency in Sylius version 2.0.2 that permits unrestricted authentication attempts against user accounts. The flaw is tracked under CWE-307 and carries a CVSS 3.1 score of 7.5, reflecting high impact on availability with no required privileges or user interaction. The Sylius core itself does not implement brute-force protections, leaving the issue present in any deployment running the affected release.

An unauthenticated remote attacker can send large volumes of login requests to enumerate or compromise accounts through brute force while also degrading service for legitimate users. Because the vulnerability is exploitable over the network without authentication, the attack can originate from any internet-connected host and requires no prior access to the application.

The vendor states that Sylius is not designed to mitigate brute-force attacks and directs customers to deploy external controls such as firewalls, rate-limiting middleware, or dedicated authentication providers. No official patch addressing the rate-limiting gap within the core framework is referenced in the available advisories.

The associated EPSS score reached a peak of 0.1227 after disclosure before settling at 0.0977, indicating modest but sustained external interest in the issue.

EU & UK References

Vulnerability details

A rate limiting issue in Sylius v2.0.2 allows a remote attacker to perform unrestricted brute-force attacks on user accounts, significantly increasing the risk of account compromise and denial of service for legitimate users. The Supplier's position is that the Sylius…

more

core software is not intended to address brute-force attacks; instead, customers deploying a Sylius-based system are supposed to use "firewalls, rate-limiting middleware, or authentication providers" for that functionality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

The absence of rate limiting on the login endpoint enables unrestricted brute-force attacks (T1110) against user accounts, facilitating credential guessing or spraying without restrictions.

CVEs Like This One

CVE-2026-31824Same product: Sylius Sylius
CVE-2025-14362Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2026-35597Shared CWE-307
CVE-2026-45364Shared CWE-307
CVE-2025-23368Shared CWE-307
CVE-2025-69615Shared CWE-307
CVE-2024-23106Shared CWE-307
CVE-2026-45010Shared CWE-307
CVE-2026-6947Shared CWE-307

Affected Assets

sylius
sylius
2.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-7 enforces restrictions on the number of consecutive unsuccessful logon attempts, directly preventing brute-force attacks on user accounts exploited by this CVE.

prevent

SC-5 implements denial-of-service protections such as rate limiting, mitigating the flooding of authentication endpoints that causes service disruption for legitimate users.

prevent

SC-7 provides boundary protection via firewalls or middleware to enforce rate limiting on external network access, addressing the remote unauthenticated brute-force exploitation.

References