CVE-2025-9004
Published: 15 August 2025
Summary
CVE-2025-9004 is a low-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Mtons Mblog. Its CVSS base score is 2.9 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-7 (Unsuccessful Logon Attempts).
Deeper analysis
CVE-2025-9004 is a vulnerability in mtons mblog versions up to 3.5.0, affecting unknown processing of the /settings/password file. It manifests as improper restriction of excessive authentication attempts, mapped to CWE-307 and CWE-799. The CVSS v3.1 base score is 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low severity with network accessibility but high attack complexity.
Remote, unauthenticated attackers can exploit this issue with no user interaction required. Exploitation enables limited confidentiality impact, such as potential information disclosure through excessive authentication attempts on the affected endpoint, though it is considered difficult overall.
Advisories referenced in Gitee issues (https://gitee.com/mtons/mblog/issues/ICPMIR) and VulDB entries (https://vuldb.com/?ctiid.320033, https://vuldb.com/?id.320033, https://vuldb.com/?submit.628785) provide further details. The exploit has been publicly disclosed and may be used.
Notable context includes the vulnerability's publication on 2025-08-15 and recognition that exploitation is rather high in complexity and known to be difficult.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-24978
Vulnerability details
A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be initiated remotely. The complexity of an…
more
attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in the /settings/password endpoint lacks rate limiting or CAPTCHA, enabling brute force password guessing (T1110.001) remotely without authentication, as explicitly mapped by VulDB.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces limits on consecutive unsuccessful authentication attempts to the /settings/password endpoint, blocking the exact CWE-307 weakness.
Requires the system to enforce an explicit access-control policy that restricts excessive authentication attempts before granting any further access.
Provides account-management mechanisms (lockout, disabling) that can be applied after repeated failed attempts on the affected password-change function.