The vulnerability identified as CVE-2025-66204 affects WBCE CMS version 1.6.4, a content management system widely used for website management. The core issue lies in improper restriction of excessive authentication attempts (CWE-307) combined with the system's full trust in the X-Forwarded-For HTTP header without validation (CWE-693). Normally, brute-force protection mechanisms limit the number of failed login attempts to prevent attackers from guessing passwords. However, in this case, the application uses the X-Forwarded-For header to track the source IP address of login attempts. Because this header can be arbitrarily set by an attacker, they can modify it on each request to reset the failed login attempt counter indefinitely. This effectively bypasses the brute-force protection, allowing unlimited password guessing attempts without triggering lockouts or rate limiting. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network. The CVSS 4.0 score is 6.3 (medium), reflecting the network attack vector, high complexity, and lack of user interaction, but limited impact on confidentiality, integrity, and availability. The vulnerability was published on December 8, 2025, and is fixed in WBCE CMS version 1.6.5. No known exploits have been reported in the wild to date.

For European organizations using WBCE CMS version 1.6.4, this vulnerability poses a significant risk of unauthorized access through brute-force attacks. Attackers can exploit the flaw to attempt unlimited password guesses, increasing the likelihood of credential compromise, especially if weak or reused passwords are in use. Successful exploitation could lead to account takeover, unauthorized content modification, data leakage, or further lateral movement within the network. Given that WBCE CMS is used for website content management, this could impact the integrity and availability of public-facing websites, damaging organizational reputation and potentially violating data protection regulations such as GDPR if personal data is exposed. The medium severity rating indicates a moderate but actionable risk, particularly for organizations with high-value web assets or sensitive information hosted on WBCE CMS.

To mitigate this vulnerability, affected organizations should immediately upgrade WBCE CMS to version 1.6.5 or later, where the issue is fixed. In addition, organizations should implement server-side validation of the X-Forwarded-For header, ensuring it is only trusted when coming from known and secure reverse proxies or load balancers. If possible, disable reliance on client-controlled headers for authentication rate limiting. Employ additional brute-force protection mechanisms such as account lockouts based on user identifiers rather than IP addresses, CAPTCHA challenges after multiple failed attempts, and multi-factor authentication (MFA) to reduce the risk of credential compromise. Monitoring and alerting on unusual login patterns and failed authentication attempts can help detect exploitation attempts. Network-level protections such as web application firewalls (WAFs) can also be configured to detect and block suspicious header manipulation. Finally, enforce strong password policies and conduct regular security awareness training to reduce the risk of successful brute-force attacks.