CVE-2025-64310

Critical

Published: 21 November 2025

Published

21 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 24.8th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64310 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Jvn (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 24.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

AC-7 enforces limits on consecutive invalid logon attempts and automatic account lockouts, directly preventing brute-force attacks on administrative passwords in the Epson projector web interfaces.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely remediation of identified flaws, such as applying vendor patches for the Epson WebConfig and Web Control vulnerability lacking authentication attempt restrictions.

SC-5 Denial-of-service Protection partial match

prevent

SC-5 implements denial-of-service protections like rate limiting on network-accessible login endpoints, mitigating excessive authentication attempts even if the application lacks built-in restrictions.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.

attack.mitre.org →

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

Why these techniques?

The vulnerability is a failure to restrict excessive authentication attempts (CWE-307), directly enabling brute force password guessing (T1110, T1110.001) on the administrative interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products do not restrict excessive authentication attempts. An administrative user's password may be identified through a brute force attack.

Deeper analysisAI

CVE-2025-64310 is a critical vulnerability in EPSON WebConfig and Epson Web Control for SEIKO EPSON Projector Products, published on 2025-11-21. It stems from CWE-307: Improper Restriction of Excessive Authentication Attempts, where the web interfaces fail to limit login attempts, allowing attackers to brute-force administrative user passwords. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility and potential for complete compromise.

Any unauthenticated attacker with network access to the projector can exploit this vulnerability remotely with low complexity and no user interaction required. By repeatedly attempting logins with guessed credentials, they can identify the administrative password, achieving high-impact unauthorized access that enables full control over confidentiality, integrity, and availability of the device.

Advisories detailing mitigations and patches are available from the Japan Vulnerability Notes (JVN) at https://jvn.jp/en/vu/JVNVU95021911/, Epson UK at https://www.epson.co.uk/en_GB/faq/KA-02041/contents?loc=en-us, and Epson Japan at https://www.epson.jp/support/misc_t/251120_oshirase.htm. Security practitioners should review these resources promptly for update instructions and protective measures.