Brute-Force

A public exploit has been published for CVE-2026-44596, a vulnerability in yamcs-core where the /auth/token authentication endpoint lacks rate limiting, allowing unauthenticated remote attackers to perform unlimited password guessing attempts against any user account, fixed in version 5.12.7.

The Login with OTP plugin for WordPress is vulnerable to authentication bypass due to an incomplete fix for CVE-2024-11178, allowing unauthenticated attackers to brute-force OTP codes and gain administrative access.

This rule identifies a high number of inbound SSH login attempts on a macOS host within a short time window by monitoring the `sshd-keygen-wrapper` process, indicating potential brute-force attacks against exposed SSH services.

iDS6 DSSPro Digital Signage System 6.2 contains a CAPTCHA security bypass vulnerability (CVE-2020-37228) that allows attackers to bypass authentication by requesting the autoLoginVerifyCode object and performing brute-force attacks against user accounts.

phpMyFAQ before 4.1.2 is vulnerable to improper restriction of excessive authentication attempts in the /admin/check endpoint, allowing unauthenticated attackers to brute-force any user's six-digit TOTP code and bypass two-factor authentication, potentially gaining full administrative access (CVE-2026-45010).

FlowiseAI exposes a basic authentication endpoint without rate limiting, allowing attackers to brute-force credentials and gain unauthorized access to the application.

D-Link DWM-222W USB Wi-Fi Adapter is vulnerable to brute-force attacks due to a protection bypass, allowing unauthenticated adjacent network attackers to gain control over the device by circumventing login attempt limits.

Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 generate predictable REST API keys, allowing attackers with knowledge of a username and approximate key creation time to brute-force access.

A machine learning job detected a spike in successful authentication events from a source IP address, which can indicate password spraying, user enumeration, or brute force activity, potentially leading to credential access.

OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets leading to forged webhook submission.

Detection of Bitbucket user login failures, potentially indicating credential access attempts, initial access attempts, or other malicious activity.

Detection of multiple consecutive logon failures from the same source address within a short time interval on Windows systems, indicating potential brute force or password spraying attacks targeting multiple user accounts.

This rule identifies potential password guessing/brute force activity from a single address, followed by a successful logon, indicating that an attacker may have compromised an account by brute-forcing login attempts across multiple users.

The Signal K server's WebSocket login endpoint lacks rate limiting, allowing attackers to bypass HTTP rate limiting by opening a WebSocket connection and attempting unlimited password guesses.

phpMyFAQ is vulnerable to an unauthenticated 2FA brute-force attack via the `/admin/check` endpoint, allowing attackers to bypass two-factor authentication and gain administrative access.

OpenEMR version 7.0.1 is vulnerable to an authentication brute force attack where attackers can bypass rate limiting by sending repeated login attempts, leading to potential unauthorized access.

Detects a significant increase (10% or greater) in failed Azure AD sign-in attempts, potentially indicating brute-force attacks, credential stuffing, or other unauthorized access attempts.

This rule identifies potential password guessing/brute force activity from a single source IP targeting multiple Windows accounts with 'admin' in the username, indicating an attempt to compromise privileged accounts.