CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists that could cause account takeover and unauthorized access to the system when an attacker conducts brute-force attacks against the login form.
The system does not limit the number of failed authentication attempts, allowing an attacker to automatically and massively test combinations of usernames and passwords (brute-force attack) directly against the login form. The lack of account lockout mechanisms, CAPTCHA, or time-based thresholds allows an attacker to continue attempting without obstacles until the correct credentials are guessed.
An attacker can take over a user account and gain unauthorized access to the system, potentially leading to a complete breach of confidentiality, integrity, and availability of data.
Apply patches available from the manufacturer according to the references — Schneider Electric security bulletin SEVD-2024-072-01 available at the address indicated in the references section
Versions indicated in manufacturer references (Schneider Electric security bulletin SEVD-2024-072-01)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H