CVE-2025-8118 identifies a security weakness in the Polska Akademia Dostępności (PAD) CMS related to improper restriction of excessive authentication attempts, classified under CWE-307. The CMS attempts to limit brute-force login attempts by storing two cookies on the client side: login_count and login_timeout. However, these cookies are not validated or tracked on the server side, enabling an attacker to reset or manipulate them to bypass the brute-force protection mechanism entirely. This flaw affects all three available templates of the CMS: www, bip, and www+bip. Because the product is end-of-life, the vendor will not issue patches or updates to remediate this vulnerability. The CVSS 4.0 score of 6.9 reflects a medium severity rating, with an attack vector over the network, no required privileges or user interaction, and limited impact on confidentiality (some information disclosure possible). The vulnerability allows an unauthenticated attacker to perform unlimited login attempts, increasing the risk of credential stuffing or brute-force attacks. No known exploits have been reported in the wild as of the publication date. The root cause is the reliance on client-side state for security controls, which is inherently insecure since clients can manipulate cookies. Effective mitigation requires server-side enforcement of login attempt limits or alternative protective controls.

For European organizations using PAD CMS, this vulnerability poses a significant risk of unauthorized access through brute-force attacks. Attackers can repeatedly attempt to guess user credentials without being blocked, potentially leading to account compromise. This can result in unauthorized data access, defacement, or further exploitation within the affected networks. Given that PAD CMS is used in Poland and possibly other European countries for public-facing websites (including government or institutional portals), the impact on confidentiality and integrity of sensitive information could be substantial. The lack of vendor support due to the product's end-of-life status exacerbates the risk, as no official patches or fixes will be forthcoming. Organizations relying on this CMS may face compliance and reputational risks if breaches occur. The medium severity rating reflects that while the vulnerability does not directly allow remote code execution or full system compromise, it facilitates credential-based attacks that can lead to broader security incidents.

Since no patches are available, organizations must implement compensating controls. First, deploy server-side rate limiting or account lockout mechanisms independent of client-side cookies to restrict login attempts. This can be done via web application firewalls (WAFs), reverse proxies, or custom server configurations. Second, enable multi-factor authentication (MFA) to reduce the risk of compromised credentials leading to account takeover. Third, monitor authentication logs for abnormal login patterns indicative of brute-force attempts. Fourth, consider migrating away from PAD CMS to a supported and actively maintained content management system to eliminate exposure to this and other vulnerabilities. Finally, educate users on strong password practices and enforce password complexity requirements to reduce the effectiveness of brute-force attacks.