CVE-2025-63807

CriticalPublic PoC

Published: 20 November 2025

Published

20 November 2025

Modified

15 January 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.7th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63807 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in 2Dogz Blogin. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 28.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

Directly mitigates brute-force attacks on verification codes by enforcing thresholds for unsuccessful authentication attempts and account lockouts.

IA-5 Authenticator Management good match

prevent

Requires authenticators like verification codes to have sufficient strength of mechanism, addressing the weak generation vulnerability.

AC-2 Account Management partial match

detectrespond

Supports detection and response to account takeovers by requiring monitoring of account usage and processes for disabling compromised accounts.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Vulnerability enables unauthenticated brute-force attacks (T1110) on weak verification codes without rate limiting, facilitating account takeover via password reset in a public-facing web application (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in…

account takeover via password reset or other authentication bypass methods.

Deeper analysisAI

CVE-2025-63807 is a high-severity vulnerability (CVSS 3.1 score of 9.8) affecting weijiang1994 university-bbs, also known as Blogin, specifically in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 dated 2025-01-13. The issue stems from a weak verification code generation mechanism combined with the absence of rate limiting, enabling unauthenticated brute-force attacks on verification codes. This flaw is linked to CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-1390 (Weak Authentication).

Remote attackers require no privileges, user interaction, or special access (AV:N/AC:L/PR:N/UI:N) to exploit the vulnerability over the network with low complexity. Successful brute-forcing of verification codes can lead to account takeover through password reset flows or other authentication bypass techniques, resulting in high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H).

A detailed advisory on the vulnerability, including potential exploitation details, is available in the referenced GitHub Gist at https://gist.github.com/Rycarl-Furry/3e93c6f0d48a29518adf341e0fc7e2dd. The CVE was published on 2025-11-20.