CVE-2026-61458
PasswordPusher · PasswordPusher
PasswordPusher is vulnerable to improper restriction of excessive authentication attempts, allowing attackers to perform brute-force attacks against sensitive credentials.
Executive summary
An unauthenticated brute-force vulnerability in PasswordPusher allows attackers to bypass rate limiting, posing a significant risk of unauthorized credential access.
Vulnerability
This vulnerability (CWE-307) involves an unauthenticated, network-accessible endpoint that lacks proper rate limiting or account lockout mechanisms. An attacker can exploit this to perform high-speed credential guessing attacks.
Business impact
The lack of authentication throttling significantly lowers the barrier for attackers to compromise passwords stored or managed within the application. Given the CVSS score of 7.5 (High), this represents a critical risk of data breach and unauthorized access to sensitive information, potentially leading to widespread account takeovers.
Remediation
Immediate Action: Update PasswordPusher to version 2.9.2 or later to implement necessary authentication rate limiting.
Proactive Monitoring: Review application access logs for patterns indicative of automated brute-force attempts, such as high volumes of failed login requests from single or distributed IP addresses.
Compensating Controls: Deploy a Web Application Firewall (WAF) or rate-limiting proxy to block or throttle requests to authentication endpoints until the software can be patched.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability presents a high risk to organizational security due to the potential for credential harvesting. Administrators must prioritize updating to version 2.9.2 immediately to enforce secure authentication practices and prevent automated abuse.