CVE-2025-30235

Published: Mar 19, 2025Modified: Mar 19, 2025

3.5

Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N

Exploitability: 1.8 / Impact: 1.4

Source: MITRE (Secondary)

Description

Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 is intended to disable accounts that have had more than 10 failed authentication attempts, but instead allows hundreds of failed authentication attempts, because concurrent attempts are mishandled.

Related CWEs

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (2)

https://reserge.org/probabilistically-breaking-securenvoy-totp/

Source: cve@mitre.org

https://securenvoy.com/wp-content/uploads/2025/03/Release-Notes-9.4.515.pdf

Source: cve@mitre.org

Timeline

No history available yet.