CVE-2025-52997
Published: 30 June 2025
Summary
CVE-2025-52997 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Filebrowser Filebrowser. Its CVSS base score is 5.9 (Medium).
Operationally, ranked at the 36.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23536
Vulnerability details
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.34.1, a missing password policy and brute-force protection makes the authentication process insecure.…
more
Attackers could mount a brute-force attack to retrieve the passwords of all accounts in a given instance. This issue has been patched in version 2.34.1.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
IA policy establishes password requirements, directly addressing weak password requirements.
Ensuring authenticators have sufficient strength of mechanism for intended use addresses weak password requirements.
User documentation on maintaining security includes password requirements, directly mitigating weak password policies.
This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.
Mandates replacement of default credentials during secure configuration and provisioning procedures.
Configuration settings can define and enforce strong password requirements to avoid weak policies.
Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.
Unique identification requirement prevents use of default or shared credentials by organizational users.