Cyber Resilience

CVE-2025-69246

Medium

Published: 16 March 2026

Published
16 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.8th percentile
Risk Priority 35 floored blend · peak EPSS

Summary

CVE-2025-69246 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Raytha Raytha. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2025-69246 is a critical vulnerability in Raytha CMS, published on 2026-03-16, stemming from the absence of any brute force protection mechanism on its login functionality. This allows attackers to send unlimited automated logon requests without lockout, throttling, or step-up challenges being triggered. Assigned CWE-307 and a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), the flaw affects Raytha CMS versions prior to 1.4.6.

Any remote attacker without privileges or user interaction can exploit this vulnerability over the network with low complexity. Successful exploitation enables brute-forcing login credentials, potentially granting full administrative access to the CMS, leading to high impacts on confidentiality, integrity, and availability through unauthorized data access, modification, or disruption.

The issue was addressed in Raytha CMS version 1.4.6. Additional details are available in advisories from CERT.pl at https://cert.pl/en/posts/2026/03/CVE-2025-69236 and the vendor site at https://raytha.com. Security practitioners should upgrade to the patched version and consider implementing supplementary brute force mitigations such as rate limiting or CAPTCHA on exposed instances.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Raytha CMS does not have any brute force protection mechanism implemented. It allows an attacker to send multiple automated logon requests without triggering lockout, throttling, or step-up challenges. This issue was fixed in version 1.4.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
Why these techniques?

Directly enables unlimited automated credential guessing against the login endpoint due to missing rate limiting/lockout.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-15540Same product: Raytha Raytha
CVE-2025-69240Same product: Raytha Raytha
CVE-2026-45364Shared CWE-307
CVE-2026-45010Shared CWE-307
CVE-2026-22278Shared CWE-307
CVE-2025-23368Shared CWE-307
CVE-2024-23106Shared CWE-307
CVE-2024-57610Shared CWE-307
CVE-2025-69615Shared CWE-307
CVE-2026-35597Shared CWE-307

Affected Assets

raytha
raytha
≤ 1.4.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive invalid logon attempts and automatic account lockout to prevent brute-force credential guessing.

prevent

Provides denial-of-service protections such as rate limiting and throttling to block excessive automated login requests.

prevent

Implements adaptive authentication mechanisms like step-up challenges to mitigate risks from repeated failed logon attempts.

References