CVE-2025-8118

PAD CMS implements weak client-side brute-force protection by utilizing two cookies:login_countand login_timeout.Information about attempt count or timeout is not stored on the server, which allows a malicious attacker to bypass this brute-force protection by resetting those cookies. This issue affects all 3 templates: www, bip and www+bip.

This product is End-Of-Life and producent will not publish patches for this vulnerability.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
UNKNOWN
---
CERT-PLCNA
---
---
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Common Weakness Enumeration
References
https://cert.pl/posts/2025/09/CVE-2025-7063