Description
Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force.

This issue affects Mobile Application: from 1.6.2 before 1.13.
Published: 2026-05-21
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Telecommunication of Turkey Electricity Transmission Corporation (TEİAŞ) Mobile Application contains an improper restriction of authentication attempts error that allows an attacker to perform a brute force attack against the one‑time password (OTP) entry. The vulnerability is a classic example of CWE‑307: Improper Restriction of Excessive Authentication Attempts, and could allow an attacker to guess or force a valid OTP and gain unauthorized access to the application, potentially exposing sensitive user data or functionality. It does not directly provide code execution but violates confidentiality and integrity by circumventing the intended authentication mechanism.

Affected Systems

TEİAŞ Mobile Application versions from 1.6.2 up to, but not including, 1.13 are impacted. Versions 1.13 and later are not affected.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity vulnerability, yet an attacker can exploit it by sending repeated OTP attempts from a client device. The EPSS score is not available, so current exploitation probability is unknown, but the vulnerability is not listed in the CISA KEV catalog, suggesting no confirmed exploits. The attack vector is presumed to be client‑side or over an open network connection, requiring access to the mobile application interface. Exploitation also requires minimal prior information about the target credential or OTP payload, making it potentially high‑impact if unchecked.

Generated by OpenCVE AI on May 21, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TEİAŞ Mobile Application to version 1.13 or later, which contains the fix for the OTP brute‑force restriction.
  • Configure the application’s authentication service to lock the account or enforce a cooldown period after a set number of failed OTP attempts, reducing the feasibility of brute‑force attacks.
  • Enable logging and monitoring of OTP request failures to detect and respond to potential brute‑force attempts early.

Generated by OpenCVE AI on May 21, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description Improper restriction of excessive authentication attempts vulnerability in Turkiye Electricity Transmission Corporation (TEİAŞ) Mobile Application allows Brute Force. This issue affects Mobile Application: from 1.6.2 before 1.13.
Title OTP Bypass in TEİAŞ's Mobile Application
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: TR-CERT

Published:

Updated: 2026-05-21T14:32:45.765Z

Reserved: 2026-02-03T14:06:50.593Z

Link: CVE-2026-1816

cve-icon Vulnrichment

Updated: 2026-05-21T14:32:42.400Z

cve-icon NVD

Status : Deferred

Published: 2026-05-21T15:16:22.557

Modified: 2026-05-21T15:24:41.890

Link: CVE-2026-1816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T15:30:13Z

Weaknesses