CVE-2025-42615 affects CIRCL's Vulnerability-Lookup software versions before 2.18.0 by failing to enforce restrictions on the number of failed OTP attempts during 2FA verification. Specifically, the system does not track or limit failed OTP submissions, allowing an attacker who has already compromised or guessed valid username and password credentials to submit unlimited OTP codes without triggering account lockout or administrative alerts. This flaw significantly lowers the cost and effort required for online brute-force attacks against 2FA, undermining the security benefits of multi-factor authentication. The vulnerability is particularly critical when OTP entropy is low, such as short numeric codes or predictable tokens, or when users reuse OTP secrets. Additionally, administrators lack visibility into repeated failed OTP attempts, making detection and response to targeted attacks difficult. The vulnerability is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The patch for this issue introduces a persistent counter for failed OTP attempts, locks accounts after 5 invalid OTP submissions, resets the counter upon successful verification, and surfaces failed 2FA attempts in the admin user interface to improve monitoring and response. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond valid credentials, user interaction required, high impact on confidentiality, no impact on integrity or availability, and high scope and security requirements. No known exploits have been reported in the wild as of the publication date.

For European organizations using CIRCL's Vulnerability-Lookup, this vulnerability poses a significant risk of account takeover through brute-force attacks on 2FA mechanisms. Successful exploitation could lead to unauthorized access to sensitive vulnerability data, potentially exposing internal security posture and enabling further attacks. The lack of lockout and alerting mechanisms increases the likelihood of stealthy attacks going unnoticed, complicating incident detection and response. Organizations relying on short or predictable OTP codes are especially vulnerable. The compromise of privileged accounts could lead to broader network compromise or data breaches. Given the critical role of vulnerability management tools in security operations, exploitation could disrupt security workflows and erode trust in security controls. The impact is heightened in sectors with stringent regulatory requirements for data protection and incident reporting, such as finance, healthcare, and critical infrastructure within Europe.

European organizations should immediately upgrade CIRCL Vulnerability-Lookup to version 2.18.0 or later, which includes the patch enforcing OTP attempt limits and account lockouts. Until patching is possible, organizations should implement compensating controls such as monitoring authentication logs for repeated failed OTP attempts and setting up alerts for suspicious 2FA activity. Enforce strong OTP policies with high entropy tokens and discourage OTP reuse. Consider integrating additional anomaly detection systems to identify brute-force patterns. Limit access to the Vulnerability-Lookup system to trusted networks and use network-level protections such as IP whitelisting or VPNs. Conduct regular audits of user accounts and 2FA configurations to ensure compliance with security policies. Educate administrators on the importance of monitoring failed 2FA attempts and responding promptly to suspicious activity. Finally, review and enhance incident response plans to address potential account takeover scenarios involving this vulnerability.