CVE-2025-59113

Summary

Windu CMS implements weak client-side brute-force protection by using parameter loginError. Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting this parameter.

Only version 4.1 was tested and confirmed as vulnerable. This issue was fixed in version 4.1 build 2250.

Affected Software

VendorProductVersion RangeStatus
JCDWindu CMS0 <= 4.1affected

Weaknesses

  • CWE-307: CWE-307 Improper Restriction of Excessive Authentication Attempts

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References