Impact
The AIL Framework lacked rate limiting on OTP verification attempts. Because the OTP endpoint allowed unlimited guesses after a password was supplied, an attacker could brute‑force the secondary authentication factor. This design flaw (CWE‑307) permits unauthorized account access by evading the intended two‑factor protection, compromising the confidentiality and integrity of user accounts.
Affected Systems
The issue exists in the AIL Project's AIL Framework. No specific version numbers are listed, so all deployments that use the framework’s OTP verification routine without applying the recent patch are potentially affected.
Risk and Exploitability
The CVSS score of 5.1 indicates moderate severity. Because the patch was not yet listed in the CISA KEV catalog and the EPSS score is unavailable, no active exploitation has been confirmed. Based on the description, it is inferred that an attacker who has reached the OTP verification step can repeatedly submit guesses. Thus, the vulnerability can be exploited remotely or locally once the attacker can access the OTP endpoint. The risk is limited to accounts that use the framework and can be targeted by anyone able to reach the OTP step. The likelihood of successful brute‑force increases with the lack of a lockout mechanism, though the impact remains confined to affected deployments.
OpenCVE Enrichment