CVE-2025-42600
Brute Force Attack Vulnerability in Meon KYC solutions
In short
Meon KYC solutions allows attackers to guess One-Time Passwords (OTPs) repeatedly without limits, enabling unauthorized access to user accounts through brute force attacks.
Technical detail
The vulnerability stems from missing rate limiting and attempt restrictions on OTP validation endpoints (CWE-307). A remote, unauthenticated attacker can perform brute force attacks on the login process to enumerate valid OTPs and gain unauthorized access to arbitrary user accounts.
Summary generated and translated by AI from the official description.
This vulnerability exists in Meon KYC solutions due to missing restrictions on the number of incorrect One-Time Password (OTP) attempts through certain API endpoints of login process. A remote attacker could exploit this vulnerability by performing a brute force attack on OTP, which could lead to gain unauthorized access to other user accounts.
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N
Affected products
Meon · KYC solutionsWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →