Brief Description:
A medium-severity vulnerability was identified in the CMS due to insufficient enforcement of password complexity requirements. The application permitted users to set passwords with a minimum length of 6 characters, lacking adequate complexity to resist modern attack techniques such as password spraying or offline password cracking.
Affected Versions:
EPiServer.CMS.UI versions prior to 12.32.0.
Solutions and Mitigations:
Upgrade to EPiServer.CMS.UI version 12.32.0 which enforces a stronger password policy and improved password complexity rules.
For Users that Cannot Upgrade:
For organizations unable to upgrade, the following mitigations are recommended:
- Manually Configure Password Complexity: Ensure passwords meet a minimum length of 8 characters and include a mix of upper- and lower-case letters, numbers, and special characters.
- Monitor Login Activity: Use logging and monitoring to detect unusual login attempts and implement rate-limiting to prevent password spraying attacks.
Severity:
Medium
CVSS:
5.5
CVE ID:
CVE-2025-22390
Date Published:
January 3, 2025
Please sign in to leave a comment.