CVE-2025-35041 is a high-severity vulnerability in Airship AI's Acropolis product, identified as CWE-307: Improper Restriction of Excessive Authentication Attempts. The vulnerability arises because, after a user successfully logs in with valid credentials, the system allows unlimited attempts to enter the 6-digit Multi-Factor Authentication (MFA) code for a 15-minute window. This design flaw enables a remote attacker who has already obtained valid user credentials to brute-force the MFA code without restriction during this time frame. Since the MFA code is only 6 digits, the brute-force attack is feasible within the 15-minute window, significantly undermining the security provided by MFA. The vulnerability affects multiple versions of Acropolis prior to the fixed releases 10.2.35, 11.0.21, and 11.1.9. The CVSS v3.1 score is 7.5 (high), reflecting the network attack vector, the requirement for low privileges (valid credentials), no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are reported in the wild yet, the vulnerability presents a critical risk because it effectively nullifies the protection MFA is supposed to provide once valid credentials are compromised. The flaw is rooted in improper rate limiting or throttling of MFA attempts, which is a fundamental security control to prevent brute-force attacks on authentication mechanisms.

For European organizations using Airship AI Acropolis, this vulnerability poses a significant risk. Attackers who have obtained valid credentials—through phishing, credential stuffing, or insider threats—can bypass MFA protections by brute forcing the 6-digit code during the 15-minute unrestricted window. This can lead to unauthorized access to sensitive systems and data, resulting in potential data breaches, financial losses, and operational disruptions. Given the high confidentiality, integrity, and availability impact, critical business processes relying on Acropolis could be compromised. The vulnerability also undermines compliance with European data protection regulations such as GDPR, which mandate strong authentication controls to protect personal data. Organizations in sectors with high security requirements, such as finance, healthcare, and government, are particularly at risk. The lack of known exploits in the wild currently provides a limited window for proactive mitigation before potential exploitation attempts emerge.

European organizations should immediately verify their Acropolis version and apply the vendor-provided patches in versions 10.2.35, 11.0.21, or 11.1.9 to remediate this vulnerability. Until patched, organizations should implement compensating controls such as: 1) Monitoring and alerting on unusual MFA attempt patterns or multiple failed MFA attempts per user within short timeframes. 2) Enforcing additional access controls such as IP whitelisting or geo-restrictions to limit where valid credentials can be used. 3) Temporarily reducing the MFA attempt window or implementing manual MFA attempt throttling if possible via configuration or custom policies. 4) Enhancing credential hygiene by enforcing strong password policies and continuous credential monitoring to reduce the risk of credential compromise. 5) Conducting user awareness training to prevent credential theft. 6) Employing anomaly detection systems to identify suspicious login behaviors. These measures, combined with prompt patching, will reduce the risk of exploitation and limit the attack surface.