CVE-2026-35098: CWE-307: Improper Restriction of Excessive Authentication Attempts in KTM System e-BOK
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time. This issue was fixed in the patch published in June 2026.
AI Analysis
Technical Summary
CVE-2026-35098 describes an improper restriction of excessive authentication attempts in the KTM System e-BOK product. The system does not enforce any rate-limiting or timeout on consecutive login attempts, allowing attackers to perform unlimited authentication requests. This vulnerability facilitates brute-force attacks on user accounts. When combined with CVE-2026-35097, which limits passwords to a six-digit numeric format, the risk is significantly increased. The vulnerability was addressed by a patch released in June 2026.
Potential Impact
Attackers can perform unlimited authentication attempts against user accounts, enabling efficient brute-force attacks. This can lead to unauthorized access if passwords are guessed successfully. The impact is heightened by the password format restriction to six-digit numeric passwords, which reduces the password space and makes brute-force attacks more practical.
Mitigation Recommendations
A patch fixing this vulnerability was published in June 2026. Users and administrators should apply the official patch to enforce limits or timeouts on consecutive login attempts. No other mitigation guidance is provided. Patch status is not explicitly confirmed in the advisory, so verify with the vendor for the latest remediation details.
CVE-2026-35098: CWE-307: Improper Restriction of Excessive Authentication Attempts in KTM System e-BOK
Description
KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time. This issue was fixed in the patch published in June 2026.
CVSS v4.0
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35098 describes an improper restriction of excessive authentication attempts in the KTM System e-BOK product. The system does not enforce any rate-limiting or timeout on consecutive login attempts, allowing attackers to perform unlimited authentication requests. This vulnerability facilitates brute-force attacks on user accounts. When combined with CVE-2026-35097, which limits passwords to a six-digit numeric format, the risk is significantly increased. The vulnerability was addressed by a patch released in June 2026.
Potential Impact
Attackers can perform unlimited authentication attempts against user accounts, enabling efficient brute-force attacks. This can lead to unauthorized access if passwords are guessed successfully. The impact is heightened by the password format restriction to six-digit numeric passwords, which reduces the password space and makes brute-force attacks more practical.
Mitigation Recommendations
A patch fixing this vulnerability was published in June 2026. Users and administrators should apply the official patch to enforce limits or timeouts on consecutive login attempts. No other mitigation guidance is provided. Patch status is not explicitly confirmed in the advisory, so verify with the vendor for the latest remediation details.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CERT-PL
- Date Reserved
- 2026-04-01T13:05:10.153Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a43cd7c27e9c79719e724c7
Added to database: 06/30/2026, 14:06:52 UTC
Last enriched: 06/30/2026, 14:21:18 UTC
Last updated: 06/30/2026, 15:06:36 UTC
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.