CVE-2025-35041 | THREATINT

Description

Airship AI Acropolis allows unlimited MFA attempts for 15 minutes after a user has logged in with valid credentials. A remote attacker with valid credentials could brute-force the 6-digit MFA code. Fixed in 10.2.35, 11.0.21, and 11.1.9.

PUBLISHED Reserved 2025-04-15 | Published 2025-09-22 | Updated 2025-09-30 | Assigner cisa-cg

HIGH: 7.5CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

HIGH: 7.7CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-307 Improper Restriction of Excessive Authentication Attempts

Product status

Default status

unknown

Any version before 10.2.35

affected

Any version before 11.0.21

affected

Any version before 11.1.9

affected

10.2.35

unaffected

11.0.21

unaffected

11.1.9

unaffected

Credits

Zach Crosman, CISA

References

www.cve.org/CVERecord?id=CVE-2025-35041 (url)

raw.githubusercontent.com/...IT/white/2025/va-25-265-01.json (url)

cve.org (CVE-2025-35041)

nvd.nist.gov (CVE-2025-35041)

Download JSON