CVE-2026-35098 | KTM System e-BOK does not implement any limit or timeout on … | CVSS 6.9 MEDIUM

Description

KTM System e-BOK does not implement any limit or timeout on consecutive login attempts, allowing an attacker to perform unlimited authentication requests. This lack of rate‑limiting enables efficient brute‑force attacks against user accounts. When combined with vulnerability CVE-2026-35097, where passwords are restricted to a six‑digit numeric format, this becomes a critical issue, as such passwords can be brute‑forced in a relatively short time. This issue was fixed in the patch published in June 2026.

Metadata

CVE ID: CVE-2026-35098
State: PUBLISHED
Assigner: CERT-PL
Reserved: 2026-04-01 13:05 UTC
Published: 2026-06-30 13:37 UTC
Last updated: 2026-06-30 14:40 UTC
Primary CWE: CWE-307
CWE-307: Improper Restriction of Excessive Authentication At…
Vendor / Product: KTM System / e-BOK
Sources: cve.org · NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
KTM System	e-BOK	—	0 < 06.2026

Weakness (CWE)

CWE	Source	Description
CWE-307	cna	CWE-307: Improper Restriction of Excessive Authentication Attempts

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.9	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

References (2)