CRITICAL🇵🇱 Wersja polska

CVE-2023-33759

CVSS 9.8v3.1pub. 2024-01-25upd. 2025-05-30

SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack.

🤖 AI Analysis
How it works

The system does not implement mechanisms limiting the number of failed authentication attempts (CWE-307 — Improper Restriction of Excessive Authentication Attempts). An attacker can send an unlimited number of login requests over the network, systematically testing combinations of authentication credentials. The lack of account lockout, time limits, or CAPTCHA mechanisms makes brute force attacks feasible without any technical obstacles.

Impact

A successful attack allows the attacker to gain unauthorized access to the PBX system, which may lead to complete takeover of the telephone exchange, violation of data confidentiality and integrity, and potential disruption of communication services.

Mitigation & patch

Patches available from the manufacturer should be applied according to the references. Additionally, it is recommended to implement compensating controls, such as restricting access to the login interface at the firewall level, introducing login attempt limits, and monitoring anomalous authentication patterns.

Who is affected

SpliceCom Maximiser Soft PBX version 1.5 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Splicecom Maximiser Soft Pbx

    APP
    Splicecom
    ≤ 1.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2023-33758MEDIUM6.1ten sam produkt

Splicecom Maximiser Soft PBX v1.5 and before was discovered to contain a cross-site scripting (XSS) vulnerabil...

CVE-2023-33760MEDIUM5.3ten sam produkt

SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue c...

CVE-2023-33757MEDIUM5.9ten sam vendor

A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and ...