A critical vulnerability has been identified in Akinsoft MyRezzta software which fails to lock out users after multiple incorrect login attempts. This allows an attacker to use automated tools to guess passwords repeatedly, eventually bypassing authentication to gain unauthorized access to the system and its data.

The software lacks a mechanism to properly restrict excessive authentication attempts on its login interfaces. An attacker can exploit this by performing a brute-force attack, using automated scripts to submit a vast number of username and password combinations without being blocked or throttled. This can also be applied to password recovery functions, allowing an attacker to systematically guess recovery codes or answers to security questions, ultimately leading to an authentication bypass and complete account takeover.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the affected system. An attacker could gain unauthorized access to sensitive business data, including customer information, financial records, and operational details. This could result in significant financial loss, data breaches, regulatory fines, reputational damage, and business disruption. Depending on the compromised account's privileges, the attacker could potentially gain administrative control over the application.

Immediate Action: The primary remediation is to update all instances of Akinsoft MyRezzta to the latest version released by the vendor, which addresses this vulnerability. After patching, it is crucial to review access and authentication logs for any signs of past or ongoing brute-force attempts.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes looking for an abnormally high rate of failed login attempts from a single IP address or a distributed set of IPs, successful logins immediately following a large number of failures, and logins from unexpected geographical locations or at unusual times.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to mitigate the risk. These include deploying a Web Application Firewall (WAF) with rules to rate-limit or block IPs that generate excessive failed logins, enforcing Multi-Factor Authentication (MFA) across all accounts, and restricting access to the application's login page to trusted IP address ranges.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we recommend immediate and urgent action. The primary course of action is to apply the vendor-supplied patches to all affected systems without delay. Although this CVE is not yet on the CISA KEV list, its high impact score signifies a significant risk of future exploitation. Organizations that cannot patch immediately must implement the suggested compensating controls, such as WAF rules and access restrictions, to reduce their attack surface while a permanent fix is being deployed.