# CVE-2025-56221 Improper Restriction of Excessive Authentication Attempts
Description
An attacker can make unlimited authentication attempts, increasing the risk of compromising targeted user accounts through password guessing.
------------------------------------------
CVSS Score: 7.5 (High)
------------------------------------------
Attack Type
* Remote (Authenticated)
------------------------------------------
Affected Versions
* Versions before <= 8.6.8
------------------------------------------
Vendor of Product
* Ascertia
------------------------------------------
Affected Product Code Base
* SigningHub
------------------------------------------
Affected Component
* Authentication API (/authenticate).
------------------------------------------
Mitigations
* Implement rate-limit/cooldown period for the authentication API.
------------------------------------------
Vulnerability Details
* The authentication API does not enforce rate limiting on login attempts, allowing an attacker to repeatedly try different password combinations without restriction. This can lead to brute-force attacks, where an attacker systematically guesses user credentials to gain unauthorized access to accounts.
Without proper rate limiting or account lockout mechanisms, the system becomes highly susceptible to automated attacks, especially when combined with leaked or commonly used passwords.
------------------------------------------
Fixed versions
* Versions after > 8.6.8
------------------------------------------
Discovered By:
* Yazan Abu-Nadi
[4.0K] /data/pocs/55e30e5c407ab7827ba7ef50de112f5bf1936854
└── [1.6K] README.md
1 directory, 1 file