CVE-2025-69615

March 11, 2026, 1:53 p.m.

9.1
Critical

Description

Incorrect Access Control via missing 2FA rate-limiting allowing unlimited brute-force retries and full MFA bypass with no user interaction required. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-24, fixed 2025-11-03.

Product(s) Impacted

Vendor Product Versions
Deutsche Telekom Ag
  • Telekom Account Management Portal
  • <2025-10-24

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-307
Improper Restriction of Excessive Authentication Attempts
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a deutsche_telekom_ag telekom_account_management_portal <2025-10-24 / / / / / / /

References

https://gist.github.com/ethicalrohitt/b3e6d071aac8530459e8b3a5720bb832
https://www.telekom.com/en/company/data-privacy-and-security/news/acknowledgements-358300#R

Tags

[email protected]
CWE-307
2026-03-10
CVE-2025-69615

CVSS Score

9.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

    View Vector String

Timeline

Published: March 10, 2026, 6:18 p.m.
Last Modified: March 11, 2026, 1:53 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.