CVE-2025-22273

CRITICAL Year: 2025
Weakness Type
CWE-770
View all →

Vulnerability Description

Application does not limit the number or frequency of user interactions, such as the number of incoming requests. At the "/EPMUI/VfManager.asmx/ChangePassword" endpoint it is possible to perform a brute force attack on the current password in use. This issue affects CyberArk Endpoint Privilege Manager in SaaS version 24.7.1. The status of other versions is unknown. After multiple attempts to contact the vendor we did not receive any answer.

Related Vulnerabilities

CVE-2018-20033

CRITICAL
CVSS:9.8(Critical)

A Remote Code Execution vulnerability in lmgrd and vendor daemon components of FlexNet Publisher version 11.16.1.0 and earlier could allow a remote attacker to corrupt the memory by allocating / deall...

CWE-7702018

CVE-2019-17067

CRITICAL
CVSS:9.8(Critical)

PuTTY before 0.73 on Windows improperly opens port-forwarding listening sockets, which allows attackers to listen on the same port to steal an incoming connection.

CWE-7702019

CVE-2023-25156

CRITICAL
CVSS:9.8(Critical)

Kiwi TCMS, an open source test management system, does not impose rate limits in versions prior to 12.0. This makes it easier to attempt brute-force attacks against the login page. Users should upgrad...

CWE-7702023

CVE-2023-38507

CRITICAL
CVSS:9.8(Critical)

Strapi is the an open-source headless content management system. Prior to version 4.12.1, there is a rate limit on the login function of Strapi's admin screen, but it is possible to circumvent it. The...

CWE-7702023

CVE-2024-44241

CRITICAL
CVSS:9.8(Critical)

The issue was addressed with improved bounds checks. This issue is fixed in iOS 18.1 and iPadOS 18.1. An attacker may be able to cause unexpected system termination or arbitrary code execution in DCP ...

CWE-7702024

CVE-2021-41591

CRITICAL
CVSS:9.4(Critical)

ACINQ Eclair before 0.6.3 allows loss of funds because of dust HTLC exposure.

CWE-7702021