Skip to main content
CVE Vulnerability Database

CVE-2025-8118: Widzialni Pad CMS Auth Bypass Vulnerability

CVE-2025-8118 is an authentication bypass vulnerability in Widzialni Pad CMS that allows attackers to bypass brute-force protection via cookie manipulation. This article covers technical details, affected templates, and mitigation.

Published:

CVE-2025-8118 Overview

CVE-2025-8118 affects PAD CMS by Widzialni, a Polish content management system used to publish public information websites. The vulnerability exists in the login brute-force protection mechanism. PAD CMS tracks failed authentication attempts using two client-side cookies: login_count and login_timeout. The server never persists this state. An attacker can reset or delete these cookies between attempts and continue guessing credentials without any lockout. The flaw affects all three PAD CMS templates: www, bip, and www+bip. The product is End-Of-Life, and the vendor will not release a patch.

Critical Impact

Attackers can bypass the login throttling entirely and mount unlimited credential-guessing attacks against administrative accounts on any PAD CMS deployment.

Affected Products

  • Widzialni PAD CMS - template www
  • Widzialni PAD CMS - template bip
  • Widzialni PAD CMS - template www+bip

Discovery Timeline

  • 2025-09-30 - CVE-2025-8118 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-8118

Vulnerability Analysis

The vulnerability is a client-side enforcement of a server-side security control [CWE-307: Improper Restriction of Excessive Authentication Attempts]. PAD CMS relies on browser-stored cookies to record how many failed login attempts occurred and when the next attempt is permitted. Because the browser owns the cookie jar, any attacker can inspect, modify, or delete these cookies before submitting the next authentication request.

The expected control flow rejects a login when login_count exceeds the threshold or when login_timeout is still active. In practice, an attacker sending requests via curl, a scripted HTTP client, or Burp Suite simply omits both cookies. The server processes each attempt as if it were the first, enabling unrestricted password guessing.

Root Cause

The root cause is trust in client-supplied state. Attempt counters and lockout timers must live server-side in a session store, database, or in-memory cache keyed by username or source IP. PAD CMS delegates that state to the client, so the enforcement point sits outside the trust boundary. No server-side counter, no IP-based throttle, and no account lockout backs up the cookie logic.

Attack Vector

Exploitation requires only network access to the CMS login endpoint. The attacker automates POST requests to the login handler with candidate credentials and strips the Cookie header on each request. Standard credential-stuffing and dictionary-attack tooling works without modification. Because the attack is network-based, unauthenticated, and requires no user interaction, it is practical against any internet-exposed PAD CMS instance.

The vulnerability does not directly expose data or grant code execution. Its impact is enabling credential compromise, which then leads to full administrative access to the CMS. See the CERT.PL analysis of related PAD CMS issues for additional context.

Detection Methods for CVE-2025-8118

Indicators of Compromise

  • High volume of POST requests to the PAD CMS login endpoint from a single source address or a distributed set of hosts within a short window.
  • Login requests that consistently omit the login_count and login_timeout cookies while other cookies are absent.
  • Successful administrative logins immediately preceded by dozens or hundreds of failed attempts from the same client.

Detection Strategies

  • Instrument the web server or reverse proxy to log every authentication attempt with source IP, username, timestamp, and cookie header state.
  • Alert on more than N failed logins per source IP per minute, independent of any application-layer counter.
  • Correlate login failures across the web tier with authentication success events to surface brute-force sessions that eventually succeed.

Monitoring Recommendations

  • Forward web server access logs and PAD CMS application logs into a central SIEM for retention and pattern analysis.
  • Baseline normal login traffic per site so anomalous spikes are visible.
  • Monitor for logins from geolocations or ASNs that do not match the administrative user population.

How to Mitigate CVE-2025-8118

Immediate Actions Required

  • Place PAD CMS administrative endpoints behind a VPN, IP allowlist, or reverse proxy that restricts access to known operator networks.
  • Enforce brute-force protection at the reverse proxy or Web Application Firewall (WAF) using request-rate limits keyed on source IP and username.
  • Rotate all administrative passwords and require long, unique credentials that resist offline guessing.
  • Plan migration off PAD CMS, as the product is End-Of-Life and will not receive vendor patches.

Patch Information

No patch is available. The vendor has declared PAD CMS End-Of-Life and stated no fix will be published. Organizations must apply compensating controls or migrate to a supported CMS.

Workarounds

  • Terminate authentication at an upstream identity-aware proxy that enforces multi-factor authentication and lockout policies.
  • Deploy fail2ban or an equivalent log-driven blocker to ban source IPs after a threshold of failed PAD CMS logins.
  • Restrict the login endpoint with server-side rules, for example an Nginx limit_req zone applied to the login path.
bash
# Nginx rate-limit example applied to the PAD CMS login endpoint
http {
    limit_req_zone $binary_remote_addr zone=padlogin:10m rate=5r/m;

    server {
        location = /admin/login {
            limit_req zone=padlogin burst=3 nodelay;
            proxy_pass http://padcms_backend;
        }
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.