CVE-2025-8118 is a medium-severity vulnerability affecting the Polska Akademia Dostępności (PAD) CMS, specifically related to improper restriction of excessive authentication attempts (CWE-307). The vulnerability arises because the PAD CMS implements brute-force protection mechanisms solely on the client side using two cookies: 'login_count' and 'login_timeout'. These cookies track the number of login attempts and impose a timeout period to prevent rapid repeated login attempts. However, since this state is not maintained on the server, an attacker can easily bypass these protections by resetting or deleting these cookies, effectively circumventing the brute-force mitigation controls. This flaw affects all three templates of the product: www, bip, and www+bip. The product is currently End-Of-Life (EOL), and the vendor will not issue patches or updates to remediate this vulnerability. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with the vector indicating network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on integrity (VI:L) but no impact on confidentiality or availability. No known exploits are currently reported in the wild. The vulnerability allows an unauthenticated remote attacker to perform unlimited brute-force login attempts, potentially enabling credential guessing or account compromise if weak passwords are used. Since the brute-force protection is client-side only, automated tools or scripts can be used to reset cookies and continue attempts without server-side rate limiting or lockout mechanisms.

For European organizations using PAD CMS, this vulnerability poses a significant risk of unauthorized access through brute-force attacks. The lack of server-side enforcement means attackers can systematically guess credentials without being throttled or blocked, increasing the likelihood of account compromise, especially if users employ weak or reused passwords. Compromised accounts could lead to unauthorized data access, defacement, or further lateral movement within the affected environment. Given that PAD CMS is used in Poland (as indicated by the vendor and CERT-PL assigner), organizations in Poland are particularly at risk. Additionally, any European entity relying on this CMS for public-facing websites or internal portals could face reputational damage, data breaches, or service disruptions. The EOL status exacerbates the risk since no official patches or vendor support are available, forcing organizations to rely on compensating controls or migration. The medium severity rating suggests that while the vulnerability is exploitable remotely without authentication or user interaction, the impact is limited to integrity (unauthorized access) without direct confidentiality or availability compromise. However, the real-world impact depends heavily on the strength of user credentials and the criticality of the affected systems.

Since the PAD CMS is EOL and no patches are forthcoming, European organizations should prioritize the following mitigations: 1) Immediate migration away from PAD CMS to a supported and actively maintained content management system that implements robust server-side brute-force protections and account lockout policies. 2) Implement network-level protections such as Web Application Firewalls (WAFs) configured to detect and block repeated login attempts from the same IP or patterns indicative of brute-force attacks. 3) Enforce strong password policies and multi-factor authentication (MFA) for all user accounts to reduce the risk of credential compromise even if brute-force attempts succeed. 4) Monitor authentication logs for unusual login attempt patterns and implement alerting mechanisms to detect brute-force activity early. 5) If migration is not immediately feasible, consider custom server-side modifications or reverse proxies that enforce rate limiting and lockout policies independent of the CMS. 6) Educate users about the risks of weak passwords and phishing to reduce the attack surface. 7) Conduct regular security assessments and penetration tests focusing on authentication mechanisms to identify and remediate weaknesses.