Two-Factor Authentication Flaw in Vulnerability-Lookup by Vendor
CVE-2025-42615

8.1HIGH

Key Information:

Vendor: Circl
Status: Vulnerability-lookup
Vendor: CVE Published:; 8 December 2025

What is CVE-2025-42615?

The Vulnerability-Lookup tool lacked effective tracking and limiting of failed One-Time Password (OTP) attempts during Two-Factor Authentication (2FA). This oversight allowed attackers with valid credentials to submit unlimited OTP codes without triggering account lockouts or alerts for administrators. Such a vulnerability significantly raises the risk of successful account takeovers, particularly if OTPs are short or predictable. The implemented patch now enforces a limit on failed OTP submissions, locking user accounts after five invalid attempts and enhancing oversight on suspicious 2FA activities.

Affected Version(s)

Vulnerability-Lookup 0 < 2.18.0

References

https://vulnerability.circl.lu/vuln/gcve-1-2025-0033

vendor-advisory

CVSS V4

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 8, 2025
Vulnerability Reserved
Apr 16, 2025

JSON

Circl

What is CVE-2025-42615?

Affected Version(s)

References

CVSS V4

Timeline