Cyber Posture

CVE-2025-69246

Critical

Published: 16 March 2026

Published
16 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0006 18.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69246 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Raytha Raytha. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match
prevent

Directly enforces limits on consecutive invalid logon attempts and automatic account lockout to prevent brute-force credential guessing.

SC-5 Denial-of-service Protection good match
prevent

Provides denial-of-service protections such as rate limiting and throttling to block excessive automated login requests.

IA-10 Adaptive Authentication partial match
prevent

Implements adaptive authentication mechanisms like step-up challenges to mitigate risks from repeated failed logon attempts.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
attack.mitre.org →
Why these techniques?

Directly enables unlimited automated credential guessing against the login endpoint due to missing rate limiting/lockout.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6.

Deeper analysisAI

CVE-2025-69246 is a critical vulnerability in Raytha CMS, published on 2026-03-16, stemming from the absence of any brute force protection mechanism on its login functionality. This allows attackers to send unlimited automated logon requests without lockout, throttling, or step-up challenges being triggered. Assigned CWE-307 and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the flaw affects Raytha CMS versions prior to 1.4.6.

Any remote attacker without privileges or user interaction can exploit this vulnerability over the network with low complexity. Successful exploitation enables brute-forcing login credentials, potentially granting full administrative access to the CMS, leading to high impacts on confidentiality, integrity, and availability through unauthorized data access, modification, or disruption.

The issue was addressed in Raytha CMS version 1.4.6. Additional details are available in advisories from CERT.pl at https://cert.pl/en/posts/2026/03/CVE-2025-69236 and the vendor site at https://raytha.com. Security practitioners should upgrade to the patched version and consider implementing supplementary brute force mitigations such as rate limiting or CAPTCHA on exposed instances.

Details

CWE(s)
CWE-307

Affected Products

raytha
raytha
≤ 1.4.6

CVEs Like This One

CVE-2025-15540Same product: Raytha Raytha
CVE-2025-69240Same product: Raytha Raytha
CVE-2026-6947Shared CWE-307
CVE-2025-23368Shared CWE-307
CVE-2026-22278Shared CWE-307
CVE-2026-35597Shared CWE-307
CVE-2025-14362Shared CWE-307
CVE-2025-69615Shared CWE-307
CVE-2024-57610Shared CWE-307
CVE-2025-12547Shared CWE-307

References