Description
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time.

This issue was fixed in the patch published in June 2026.
Published: 2026-06-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an absence of rate limiting on consecutive login attempts in KTM System e‑BOK, allowing unlimited authentication requests. This creates an opportunity for brute‑force attacks; when combined with the six‑digit numeric password scheme from CVE‑2026‑35097, an attacker can discover valid credentials in a relatively short period, compromising user accounts and granting unauthorized access to sensitive data and services.

Affected Systems

The affected product is KTM System e‑BOK, an online customer service provided, but the issue was fixed by a patch released in June 2026. Administrators should verify that their deployment is updated to the patched version.

Risk and Exploitability

The CVSS score of 6.9 indicates a serious risk, while the EPSS score is not available, so the exploitation probability cannot be quantified; the vulnerability is not catalog. Based on the description, the likely attack vector is remote authentication over the network, where an attacker can repeatedly submit login attempts from any IP, making exploitation straightforward if password entropy is low. The absence of throttling or account lockout means brute‑forcing is efficient and not limited by the system.

Generated by OpenCVE AI on June 30, 2026 at 15:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the June 2026 patch that enforces login attempt limits and strengthens password policies.
  • If the patch cannot be applied immediately, configure the system to lock an account after a defined number of consecutive failed login attempts.
  • Verify and enforce stronger password complexity requirements such as longer length or alphanumeric mix to reduce brute‑force feasibility.
  • Monitor authentication logs for suspicious patterns and consider implementing IP‑based throttling or CAPTCHA challenges.

Generated by OpenCVE AI on June 30, 2026 at 15:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time. This issue was fixed in the patch published in June 2026.
Title Improper Restriction of Excessive Authentication Attempts in KTM System e-BOK
Weaknesses CWE-307
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-06-30T14:40:52.478Z

Reserved: 2026-04-01T13:05:10.153Z

Link: CVE-2026-35098

cve-icon Vulnrichment

Updated: 2026-06-30T14:40:48.710Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T15:45:05Z

Weaknesses
  • CWE-307

    Improper Restriction of Excessive Authentication Attempts