CVE-2025-9551 is a vulnerability classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) found in the Drupal Protected Pages module. This module is designed to restrict access to certain pages by requiring authentication. The vulnerability exists because the module versions prior to 1.8.0 and 7.x-2.5 do not adequately limit the number of authentication attempts an attacker can perform. As a result, an attacker can launch brute force attacks against user credentials without being blocked or slowed down by rate limiting or account lockout mechanisms. The vulnerability is remotely exploitable over the network without requiring any privileges or user interaction, making it easier for attackers to attempt credential guessing attacks. The impact primarily affects confidentiality by potentially exposing valid credentials and availability by causing resource exhaustion through repeated authentication attempts. The CVSS v3.1 base score of 6.5 reflects these factors, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), low confidentiality impact (C:L), no integrity impact (I:N), and low availability impact (A:L). No patches or exploit code are currently publicly available, but the issue is officially published and tracked. The vulnerability affects a widely used open-source CMS component, making it a relevant concern for many organizations running Drupal websites with the Protected Pages module installed.

The vulnerability allows attackers to perform brute force attacks against authentication mechanisms protecting sensitive pages, potentially leading to unauthorized access if weak or reused credentials are present. This can compromise the confidentiality of protected content and user accounts. Additionally, repeated authentication attempts may degrade service availability by consuming server resources or triggering denial-of-service conditions. Organizations relying on Drupal Protected Pages for access control are at risk of credential compromise and service disruption. While the impact on integrity is minimal, the confidentiality and availability impacts can affect business operations, user trust, and compliance with data protection regulations. The ease of exploitation and lack of required privileges increase the risk of widespread attacks, especially in environments with weak password policies or insufficient monitoring.

1. Upgrade the Drupal Protected Pages module to version 1.8.0 or later (for 0.x series) or 7.x-2.5 or later (for 7.x series) as soon as patches become available. 2. Implement additional rate limiting and account lockout policies at the web server or application firewall level to restrict excessive authentication attempts. 3. Enforce strong password policies and encourage the use of multi-factor authentication (MFA) to reduce the risk of credential compromise. 4. Monitor authentication logs for unusual patterns indicative of brute force attacks and respond promptly to suspicious activity. 5. Consider deploying web application firewalls (WAFs) with rules to detect and block brute force attempts targeting Drupal login endpoints. 6. Educate administrators and users about the risks of credential reuse and phishing to minimize attack vectors. 7. Regularly audit and update Drupal modules and dependencies to ensure timely application of security fixes.