CVE-2025-35041 is a high-severity vulnerability identified in Airship AI's Acropolis product, classified under CWE-307: Improper Restriction of Excessive Authentication Attempts. The vulnerability arises because the system allows unlimited Multi-Factor Authentication (MFA) attempts for a 15-minute window after a user has successfully logged in with valid credentials. Specifically, an attacker who has obtained valid user credentials can remotely brute-force the 6-digit MFA code without any throttling or lockout mechanisms during this period. This flaw effectively undermines the security benefits of MFA by enabling attackers to bypass the second authentication factor through repeated guessing attempts. The vulnerability affects versions prior to the fixed releases 10.2.35, 11.0.21, and 11.1.9. The CVSS v3.1 score of 7.5 reflects the high impact on confidentiality, integrity, and availability, with the attack vector being network-based and requiring low privileges but no user interaction. The vulnerability's exploitation could lead to unauthorized account access, data breaches, and potential lateral movement within affected environments. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it a significant risk once weaponized.

For European organizations, the impact of CVE-2025-35041 can be substantial, especially for those relying on Airship AI Acropolis for critical infrastructure, data management, or operational technology. Successful exploitation allows attackers to bypass MFA protections, potentially leading to unauthorized access to sensitive systems and data. This can result in data theft, disruption of services, and compromise of integrity and availability of critical business operations. Given the increasing regulatory focus in Europe on data protection (e.g., GDPR), such breaches could also lead to severe legal and financial penalties. Additionally, sectors such as finance, healthcare, and government agencies, which often deploy strong MFA mechanisms, may find their security posture weakened, increasing the risk of espionage, fraud, or sabotage. The 15-minute window of unlimited MFA attempts is particularly dangerous in automated attack scenarios, increasing the likelihood of successful brute-force attacks.

Organizations using Airship AI Acropolis should immediately verify their product version and apply the patches released in versions 10.2.35, 11.0.21, or 11.1.9. Beyond patching, it is critical to implement additional security controls: 1) Enforce rate limiting or lockout policies on MFA attempts to prevent brute-force attacks, ideally reducing the window of unlimited attempts to zero. 2) Monitor authentication logs for unusual patterns, such as rapid successive MFA failures following successful credential logins. 3) Employ anomaly detection systems that can flag suspicious login behaviors, especially from unusual IP addresses or geolocations. 4) Consider integrating adaptive MFA mechanisms that increase authentication requirements based on risk factors. 5) Educate users about credential security to reduce the risk of credential compromise, which is a prerequisite for exploiting this vulnerability. 6) Network segmentation and zero-trust principles can limit the impact of compromised accounts. 7) Conduct regular penetration testing and vulnerability assessments focusing on authentication mechanisms.