CVE-2025-66204
Published: 09 December 2025
Summary
CVE-2025-66204 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Wbce Wbce Cms. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 21.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces limits on consecutive unsuccessful logon attempts, directly preventing brute-force password guessing enabled by this CVE's bypass.
Requires validation of untrusted information inputs like the X-Forwarded-For header to block spoofing that resets brute-force counters.
Provides boundary protection to inspect and filter manipulated headers or enforce rate limiting independent of client IP claims at external interfaces.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability bypasses brute-force protections via X-Forwarded-For header manipulation, directly enabling unlimited password guessing (T1110.001) on a public-facing CMS application (T1190).
NVD Description
WBCE CMS is a content management system. Version 1.6.4 contains a brute-force protection bypass where an attacker can indefinitely reset the counter by modifying `X-Forwarded-For` on each request, gaining unlimited password guessing attempts, effectively bypassing all brute-force protection. The application…
more
fully trusts the `X-Forwarded-For` header without validating it or restricting its usage. This issue is fixed in version 1.6.5.
Deeper analysisAI
WBCE CMS version 1.6.4, a content management system, is affected by CVE-2025-66204, a brute-force protection bypass vulnerability mapped to CWE-307 (Improper Restriction of Excessive Authentication Attempts) and CWE-693 (Protection Mechanism Failure). The flaw stems from the application's full trust in the X-Forwarded-For header without validation or restrictions, allowing attackers to reset the brute-force counter indefinitely by modifying this header on each request. This effectively disables all brute-force protections, enabling unlimited password guessing attempts.
The vulnerability has a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation is possible over the network by unauthenticated remote attackers with no user interaction, though it requires high attack complexity. Attackers can achieve high impacts on confidentiality, integrity, and availability by bypassing rate limiting to brute-force credentials, potentially leading to unauthorized access to the CMS.
Mitigation is provided in WBCE CMS version 1.6.5, which addresses the issue. Security advisories detail the fix in GitHub advisory GHSA-f676-f375-m7mw, the release notes at github.com/WBCE/WBCE_CMS/releases/tag/1.6.5, and the specific commit 3765baddf27f31bbbea9c0228c452268621b25e5. Practitioners should upgrade immediately and review proxy configurations to avoid similar header trust issues.
Details
- CWE(s)