CVE-2025-30235
3.5
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N
Summary
Shearwater SecurEnvoy SecurAccess Enrol before 9.4.515 is intended to disable accounts that have had more than 10 failed authentication attempts, but instead allows hundreds of failed authentication attempts, because concurrent attempts are mishandled.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| SecurEnvoy | SecurAccess | 0 < 9.4.515 | affected |
Weaknesses
- CWE-362: CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://reserge.org/probabilistically-breaking-securenvoy-totp/
- https://securenvoy.com/wp-content/uploads/2025/03/Release-Notes-9.4.515.pdf
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.