Cyber Resilience

CVE-2025-9004

LowPublic PoC

Published: 15 August 2025

Published
15 August 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.9 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 59.8th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9004 is a low-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Mtons Mblog. Its CVSS base score is 2.9 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-7 (Unsuccessful Logon Attempts).

Deeper analysis

CVE-2025-9004 is a vulnerability in mtons mblog versions up to 3.5.0, affecting unknown processing of the /settings/password file. It manifests as improper restriction of excessive authentication attempts, mapped to CWE-307 and CWE-799. The CVSS v3.1 base score is 3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N), indicating low severity with network accessibility but high attack complexity.

Remote, unauthenticated attackers can exploit this issue with no user interaction required. Exploitation enables limited confidentiality impact, such as potential information disclosure through excessive authentication attempts on the affected endpoint, though it is considered difficult overall.

Advisories referenced in Gitee issues (https://gitee.com/mtons/mblog/issues/ICPMIR) and VulDB entries (https://vuldb.com/?ctiid.320033, https://vuldb.com/?id.320033, https://vuldb.com/?submit.628785) provide further details. The exploit has been publicly disclosed and may be used.

Notable context includes the vulnerability's publication on 2025-08-15 and recognition that exploitation is rather high in complexity and known to be difficult.

EU & UK References

Vulnerability details

A vulnerability was found in mtons mblog up to 3.5.0. This issue affects some unknown processing of the file /settings/password. The manipulation leads to improper restriction of excessive authentication attempts. The attack may be initiated remotely. The complexity of an…

more

attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

The vulnerability in the /settings/password endpoint lacks rate limiting or CAPTCHA, enabling brute force password guessing (T1110.001) remotely without authentication, as explicitly mapped by VulDB.

CVEs Like This One

CVE-2025-36363Shared CWE-307
CVE-2024-9342Shared CWE-307
CVE-2026-32292Shared CWE-307
CVE-2026-24436Shared CWE-307
CVE-2025-58587Shared CWE-307
CVE-2026-27521Shared CWE-307
CVE-2026-30790Shared CWE-307
CVE-2026-32729Shared CWE-307, CWE-799
CVE-2025-25595Shared CWE-307
CVE-2026-32295Shared CWE-307

Affected Assets

mtons
mblog
≤ 3.5.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces limits on consecutive unsuccessful authentication attempts to the /settings/password endpoint, blocking the exact CWE-307 weakness.

prevent

Requires the system to enforce an explicit access-control policy that restricts excessive authentication attempts before granting any further access.

prevent

Provides account-management mechanisms (lockout, disabling) that can be applied after repeated failed attempts on the affected password-change function.

References