CVE-2026-7671 Overview
CVE-2026-7671 affects the CodeWise Tornet Scooter Mobile App version 4.75 on iOS and Android. The vulnerability resides in an unspecified function within the /TwoFactor endpoint. The flaw allows improper restriction of excessive authentication attempts [CWE-307], enabling remote brute-force attacks against the two-factor authentication mechanism.
The issue has been publicly disclosed and may be referenced by attackers. The vendor was contacted prior to disclosure but did not respond. Exploitation is rated as difficult due to high attack complexity, and no active exploitation has been reported.
Critical Impact
Remote attackers can attempt unrestricted authentication attempts against the /TwoFactor endpoint, potentially bypassing two-factor protections through brute-force enumeration of authentication codes.
Affected Products
- CodeWise Tornet Scooter Mobile App 4.75 (iOS)
- CodeWise Tornet Scooter Mobile App 4.75 (Android)
- /TwoFactor authentication endpoint
Discovery Timeline
- 2026-05-03 - CVE CVE-2026-7671 published to NVD
- 2026-05-04 - Last updated in NVD database
Technical Details for CVE-2026-7671
Vulnerability Analysis
The CodeWise Tornet Scooter Mobile App fails to enforce rate limiting on its /TwoFactor authentication endpoint. The application accepts repeated authentication attempts without throttling, account lockout, or CAPTCHA challenges. Attackers can send a high volume of requests to the endpoint without triggering any protective response.
Two-factor authentication relies on the assumption that an attacker cannot iterate through the keyspace of one-time codes. When rate limiting is absent, a six-digit numeric code becomes guessable through automated requests. This undermines the security guarantee provided by the second factor.
The vulnerability is mapped to CWE-307: Improper Restriction of Excessive Authentication Attempts. The EPSS score is 0.019% with a percentile of 5.351, indicating a low predicted likelihood of near-term exploitation.
Root Cause
The root cause is the absence of authentication attempt counters and lockout logic on the server-side handler for /TwoFactor. The endpoint processes incoming verification submissions without tracking failed attempts per account, IP address, or session.
Attack Vector
A remote attacker submits repeated POST requests to /TwoFactor containing candidate two-factor codes for a target account. Without rate limiting, the attacker can iterate through possible codes until a match is found. The attack requires prior knowledge of valid account credentials, which contributes to the high attack complexity rating.
No verified exploit code is available. The vulnerability mechanism is described in the VulDB advisory referenced below. See VulDB #360819 for additional technical context.
Detection Methods for CVE-2026-7671
Indicators of Compromise
- High volumes of POST requests to the /TwoFactor endpoint from a single source IP within short time windows
- Repeated authentication failures for the same user account followed by an eventual success
- Anomalous user-agent strings or automated request patterns targeting the two-factor verification path
Detection Strategies
- Inspect application logs for repeated /TwoFactor submissions with varying code parameters tied to the same session or account
- Correlate failed two-factor attempts with subsequent successful authentication events to identify potential brute-force success
- Deploy web application firewall rules that flag burst traffic against authentication endpoints
Monitoring Recommendations
- Forward mobile application backend logs to a centralized SIEM for sustained authentication anomaly analysis
- Alert on threshold breaches such as more than 10 failed two-factor attempts per account within five minutes
- Track geographic and device fingerprint inconsistencies between primary login and two-factor submission
How to Mitigate CVE-2026-7671
Immediate Actions Required
- Implement server-side rate limiting on the /TwoFactor endpoint with progressive backoff for repeated failures
- Enforce account lockout after a defined threshold of failed two-factor attempts, requiring out-of-band reset
- Log and alert on all failed two-factor verification events for security operations review
Patch Information
No vendor patch is currently available. The vendor was contacted prior to public disclosure but did not respond. Operators of the CodeWise Tornet Scooter Mobile App backend should apply compensating controls until an official update is released. Refer to VulDB #360819 for ongoing advisory updates.
Workarounds
- Place the authentication API behind a reverse proxy or WAF that enforces request rate limits per IP and per account
- Increase the entropy of two-factor codes by extending length or using time-based one-time passwords with short validity windows
- Require CAPTCHA or device-binding verification after a small number of failed two-factor attempts
# Example NGINX rate limiting configuration for the /TwoFactor endpoint
limit_req_zone $binary_remote_addr zone=twofactor:10m rate=5r/m;
location /TwoFactor {
limit_req zone=twofactor burst=3 nodelay;
limit_req_status 429;
proxy_pass http://backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
