CVE-2025-4319

Critical

Published: 23 January 2026

Published

23 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H

EPSS Score 0.0009 25.5th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4319 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Gov (inferred from references). Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 25.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

Directly enforces limits on consecutive unsuccessful logon attempts and account lockouts, preventing brute force authentication attacks addressed by this CVE.

IA-5 Authenticator Management good match

prevent

Requires management of authenticators including strong policies for password strength, storage, and recovery mechanisms, mitigating weak password recovery exploitation in this CVE.

SC-5 Denial-of-service Protection partial match

prevent

Provides denial-of-service protections such as rate limiting and resource allocation to counter the high availability impact from excessive remote authentication attempts in this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Improper auth attempt restriction directly enables remote brute-force/password guessing (T1110/T1110.001) against a public-facing application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Restriction of Excessive Authentication Attempts, Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions Sufirmam allows Brute Force, Password Recovery Exploitation.This issue affects Sufirmam: through 23012026. NOTE: The vendor was contacted early about this…

disclosure but did not respond in any way.

Deeper analysisAI

CVE-2025-4319 is an Improper Restriction of Excessive Authentication Attempts and Weak Password Recovery Mechanism for Forgotten Password vulnerability in Birebirsoft Software and Technology Solutions' Sufirmam software. This issue affects Sufirmam versions through 23012026 and carries a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H). It is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).

Unauthenticated attackers can exploit the vulnerability remotely over the network with low attack complexity and no user interaction required. Successful exploitation enables brute force attacks against authentication and password recovery exploitation, potentially resulting in high confidentiality impact, low integrity impact, and high availability impact.

A related advisory is published at https://www.usom.gov.tr/bildirim/tr-26-0005. The vendor was contacted early regarding this disclosure but did not respond in any way.