CVE-2025-31991: CWE-307 Improper restriction of excessive authentication attempts in HCLSoftware Velocity
CVE-2025-31991 is a vulnerability in HCLSoftware Velocity versions prior to 5. 1. 7 where rate limiting on user login attempts is not properly enforced. This improper restriction allows attackers with high privileges to perform brute-force attacks beyond the intended unsuccessful login attempt limits. The vulnerability impacts the integrity of the system by potentially allowing unauthorized access through repeated authentication attempts. A fix for this issue is available in version 5. 1. 7.
AI Analysis
Technical Summary
This vulnerability (CVE-2025-31991) in HCLSoftware Velocity involves improper restriction of excessive authentication attempts (CWE-307). Specifically, the product does not correctly enforce rate limiting on login attempts, enabling brute-force attacks past the unsuccessful login attempt threshold. The CVSS 3.1 base score is 6.8 (medium severity), with an attack vector of network, low attack complexity, requiring high privileges, no user interaction, and a scope change. The impact is limited to integrity, with no confidentiality or availability impact. The issue is fixed in version 5.1.7.
Potential Impact
The vulnerability allows an attacker with high privileges to bypass the intended rate limiting on login attempts, potentially enabling brute-force attacks that could compromise system integrity. There is no direct impact on confidentiality or availability reported. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix is available in HCLSoftware Velocity version 5.1.7. Users should upgrade to this version or later to remediate the vulnerability. Since the vendor advisory indicates the issue is fixed in 5.1.7, applying this official fix is the recommended mitigation.
CVE-2025-31991: CWE-307 Improper restriction of excessive authentication attempts in HCLSoftware Velocity
Description
CVE-2025-31991 is a vulnerability in HCLSoftware Velocity versions prior to 5. 1. 7 where rate limiting on user login attempts is not properly enforced. This improper restriction allows attackers with high privileges to perform brute-force attacks beyond the intended unsuccessful login attempt limits. The vulnerability impacts the integrity of the system by potentially allowing unauthorized access through repeated authentication attempts. A fix for this issue is available in version 5. 1. 7.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability (CVE-2025-31991) in HCLSoftware Velocity involves improper restriction of excessive authentication attempts (CWE-307). Specifically, the product does not correctly enforce rate limiting on login attempts, enabling brute-force attacks past the unsuccessful login attempt threshold. The CVSS 3.1 base score is 6.8 (medium severity), with an attack vector of network, low attack complexity, requiring high privileges, no user interaction, and a scope change. The impact is limited to integrity, with no confidentiality or availability impact. The issue is fixed in version 5.1.7.
Potential Impact
The vulnerability allows an attacker with high privileges to bypass the intended rate limiting on login attempts, potentially enabling brute-force attacks that could compromise system integrity. There is no direct impact on confidentiality or availability reported. No known exploits in the wild have been reported.
Mitigation Recommendations
A fix is available in HCLSoftware Velocity version 5.1.7. Users should upgrade to this version or later to remediate the vulnerability. Since the vendor advisory indicates the issue is fixed in 5.1.7, applying this official fix is the recommended mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- HCL
- Date Reserved
- 2025-04-01T18:46:35.960Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69dd138382d89c981f0e28d0
Added to database: 4/13/2026, 4:02:11 PM
Last enriched: 4/13/2026, 4:17:29 PM
Last updated: 4/13/2026, 5:15:55 PM
Views: 13
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.