CVE-2025-23368

Description

### Impact A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI. ### Patches The default behaviour has been changed in WildFly Core 31.0.3.Final, and 32.0.0.Beta3 - the first version is used by WildFly 39.0.1.Final and the second will be included in WildFly 40. ### Workarounds No direct workaround. Monitoring network traffic / blocking suspicious traffic may help. ### References https://www.cve.org/CVERecord?id=CVE-2025-23368 https://issues.redhat.com/browse/WFCORE-7192 ### Acknowledgements We would like to thank Claudia Bartolini (TIM S.p.A), Marco Ventura (TIM S.p.A), and Massimiliano Brolli (TIM S.p.A) for reporting this issue.

How to fix CVE-2025-23368

To remediate CVE-2025-23368, upgrade the affected package to a fixed version below.

• —upgrade to 32.0.0.Beta3 or later

Is CVE-2025-23368 being exploited?

Low — EPSS is 0.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• >= 32.0.0.Beta1, < 32.0.0.Beta3

CVSS scores

References (10)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-23368
• PATCHgithub.com/wildfly/wildfly-core
• WEBaccess.redhat.com/security/cve/CVE-2025-23368
• WEBbugzilla.redhat.com/show_bug.cgi?id=2337621
• WEB