CRITICAL🇵🇱 Wersja polska

CVE-2025-3709

CVSS 9.8v3.1pub. 2025-05-02upd. 2025-05-07

Agentflow from Flowring Technology has an Account Lockout Bypass vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to perform password brute force attack.

🤖 AI Analysis
How it works

The system does not implement an effective account lockout mechanism after a specified number of failed login attempts (missing or bypassed Account Lockout policy). An unauthenticated remote attacker, without any privileges and without user interaction, can send an unlimited number of login requests with different password combinations. The lack of attempt restrictions allows for automated testing of large password sets until the correct one is found.

Impact

An attacker can guess the password of any user in the system and take control of their account, gaining access to sensitive data and Agentflow system functions. Depending on the privileges of the compromised account, it is possible to violate the confidentiality, integrity, and availability of the system.

Mitigation & patch

Apply patches available from the manufacturer in accordance with references published by TWCERT/CC at: https://www.twcert.org.tw/en/cp-139-10090-112f7-2.html and https://www.twcert.org.tw/tw/cp-132-10091-12462-1.html. Additionally, until the fix is implemented, it is recommended to restrict access to the login interface at the network level (firewall, VPN) and implement external mechanisms to limit login attempts (e.g., WAF, reverse proxy with rate limiting).

Who is affected

Flowring Agentflow — versions specified in the manufacturer's references (TWCERT/CC)

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Flowring Agentflow

    APP
    Flowring
    4.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-2095CRITICAL9.3PL ✓ten sam produkt

Pomijanie uwierzytelnienia w Flowring Agentflow — przejęcie tokenu dowolnego użytkownika

CVE-2026-2096CRITICAL9.3PL ✓ten sam produkt

Flowring Agentflow — brak uwierzytelnienia umożliwia manipulację bazą danych

CVE-2022-39036CRITICAL9.8ten sam produkt

The file upload function of Agentflow BPM has insufficient filtering for special characters in URLs. An unauth...

CVE-2026-2097HIGH8.7ten sam produkt

Agentflow developed by Flowring has an Arbitrary File Upload vulnerability, allowing authenticated remote atta...

CVE-2022-39038HIGH8.8ten sam produkt

Agentflow BPM enterprise management system has improper authentication. A remote attacker with general user pr...