SpliceCom Maximiser Soft PBX v1.5 and before does not restrict excessive authentication attempts, allowing attackers to bypass authentication via a brute force attack.
The system does not implement mechanisms limiting the number of failed authentication attempts (CWE-307 — Improper Restriction of Excessive Authentication Attempts). An attacker can send an unlimited number of login requests over the network, systematically testing combinations of authentication credentials. The lack of account lockout, time limits, or CAPTCHA mechanisms makes brute force attacks feasible without any technical obstacles.
A successful attack allows the attacker to gain unauthorized access to the PBX system, which may lead to complete takeover of the telephone exchange, violation of data confidentiality and integrity, and potential disruption of communication services.
Patches available from the manufacturer should be applied according to the references. Additionally, it is recommended to implement compensating controls, such as restricting access to the login interface at the firewall level, introducing login attempt limits, and monitoring anomalous authentication patterns.
SpliceCom Maximiser Soft PBX version 1.5 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HSplicecom Maximiser Soft Pbx
APPSplicecom≤ 1.5
Related vulnerabilities
Splicecom Maximiser Soft PBX v1.5 and before was discovered to contain a cross-site scripting (XSS) vulnerabil...
SpliceCom Maximiser Soft PBX v1.5 and before was discovered to utilize a default SSL certificate. This issue c...
A lack of SSL certificate validation in Splicecom iPCS (iOS App) v1.3.4, iPCS2 (iOS App) v2.8 and before, and ...