CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-6P7H-4J4X-9M57
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users’ credentials and obtain access via a brute force attack.
{
"affected": [],
"aliases": [
"CVE-2021-32522"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-07T14:15:00Z",
"severity": "CRITICAL"
},
"details": "Improper restriction of excessive authentication attempts vulnerability in QSAN Storage Manager, XEVO, SANOS allows remote attackers to discover users\u2019 credentials and obtain access via a brute force attack.",
"id": "GHSA-6p7h-4j4x-9m57",
"modified": "2022-05-24T22:28:19Z",
"published": "2022-05-24T22:28:19Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32522"
},
{
"type": "WEB",
"url": "https://www.twcert.org.tw/tw/cp-132-4878-0a279-1.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6P8R-6M93-557F
Vulnerability from github – Published: 2026-04-03 03:09 – Updated: 2026-05-06 23:22Summary
Fake DeviceToken Bypasses Shared Auth Rate Limiting
Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.
Affected Packages / Versions
- Package:
openclaw(npm) - Latest published npm version:
2026.3.31 - Vulnerable version range:
<=2026.3.28 - Patched versions:
>= 2026.3.31 - First stable tag containing the fix:
v2026.3.31
Fix Commit(s)
af0c0862f22ca4492406a3103d05e3628f94cbe9— 2026-03-31T09:08:57+09:00
Release Process Note
- The fix is already present in released version
2026.3.31.
OpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.28"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.31"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-41333"
],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-03T03:09:18Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\nFake DeviceToken Bypasses Shared Auth Rate Limiting\n\n## Current Maintainer Triage\n- Status: narrow\n- Normalized severity: low\n- Assessment: Real in shipped mixed WS auth flow, but practical risk is mostly weak shared-password deployments since strong shared tokens remain non-bruteforceable.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `af0c0862f22ca4492406a3103d05e3628f94cbe9` \u2014 2026-03-31T09:08:57+09:00\n\n## Release Process Note\n- The fix is already present in released version `2026.3.31`.\n\nOpenClaw thanks @kexinoh of Tencent zhuque Lab (https://github.com/Tencent/AI-Infra-Guard) for reporting.",
"id": "GHSA-6p8r-6m93-557f",
"modified": "2026-05-06T23:22:13Z",
"published": "2026-04-03T03:09:18Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6p8r-6m93-557f"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/af0c0862f22ca4492406a3103d05e3628f94cbe9"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-authentication-rate-limiting-bypass-via-fake-devicetoken"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw: Fake DeviceToken Bypasses Shared Auth Rate Limiting"
}
GHSA-6PCJ-RQ2G-GX86
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-05-24 22:28A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxureª Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.
{
"affected": [],
"aliases": [
"CVE-2020-28212"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-19T22:15:00Z",
"severity": "CRITICAL"
},
"details": "A CWE-307: Improper Restriction of Excessive Authentication Attempts vulnerability exists in PLC Simulator on EcoStruxure\u00aa Control Expert (now Unity Pro) (all versions) that could cause unauthorized command execution when a brute force attack is done over Modbus.",
"id": "GHSA-6pcj-rq2g-gx86",
"modified": "2022-05-24T22:28:20Z",
"published": "2022-05-24T22:28:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28212"
},
{
"type": "WEB",
"url": "https://www.se.com/ww/en/download/document/SEVD-2020-315-07"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6PV7-22FF-JQJJ
Vulnerability from github – Published: 2025-08-13 21:30 – Updated: 2025-08-13 21:30A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/send_code of the component Verification Code Handler. The manipulation of the argument email leads to improper restriction of excessive authentication attempts. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.
{
"affected": [],
"aliases": [
"CVE-2025-8927"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-13T20:15:35Z",
"severity": "MODERATE"
},
"details": "A vulnerability was determined in mtons mblog up to 3.5.0. Affected by this issue is some unknown functionality of the file /email/send_code of the component Verification Code Handler. The manipulation of the argument email leads to improper restriction of excessive authentication attempts. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used.",
"id": "GHSA-6pv7-22ff-jqjj",
"modified": "2025-08-13T21:30:29Z",
"published": "2025-08-13T21:30:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8927"
},
{
"type": "WEB",
"url": "https://gitee.com/mtons/mblog/issues/ICPMJR"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.319886"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.319886"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.631654"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6Q78-GPRW-J4GG
Vulnerability from github – Published: 2022-05-13 01:05 – Updated: 2022-05-13 01:05If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.
{
"affected": [],
"aliases": [
"CVE-2019-0039"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-04-10T20:29:00Z",
"severity": "HIGH"
},
"details": "If REST API is enabled, the Junos OS login credentials are vulnerable to brute force attacks. The high default connection limit of the REST API may allow an attacker to brute-force passwords using advanced scripting techniques. Additionally, administrators who do not enforce a strong password policy can increase the likelihood of success from brute force attacks. Affected releases are Juniper Networks Junos OS: 14.1X53 versions prior to 14.1X53-D49; 15.1 versions prior to 15.1F6-S12, 15.1R7-S3; 15.1X49 versions prior to 15.1X49-D160; 15.1X53 versions prior to 15.1X53-D236, 15.1X53-D495, 15.1X53-D591, 15.1X53-D69; 16.1 versions prior to 16.1R3-S10, 16.1R4-S12, 16.1R6-S6, 16.1R7-S3; 16.1X65 versions prior to 16.1X65-D49; 16.2 versions prior to 16.2R2-S7; 17.1 versions prior to 17.1R2-S10, 17.1R3; 17.2 versions prior to 17.2R1-S8, 17.2R3-S1; 17.3 versions prior to 17.3R3-S2; 17.4 versions prior to 17.4R1-S6, 17.4R2-S2; 18.1 versions prior to 18.1R2-S4, 18.1R3-S1; 18.2 versions prior to 18.2R1-S5; 18.2X75 versions prior to 18.2X75-D30; 18.3 versions prior to 18.3R1-S1.",
"id": "GHSA-6q78-gprw-j4gg",
"modified": "2022-05-13T01:05:37Z",
"published": "2022-05-13T01:05:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-0039"
},
{
"type": "WEB",
"url": "https://kb.juniper.net/JSA10928"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/107899"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6QXG-CM55-G85X
Vulnerability from github – Published: 2023-12-20 12:30 – Updated: 2026-02-23 12:31Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.
{
"affected": [],
"aliases": [
"CVE-2023-6912"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-20T10:15:08Z",
"severity": "HIGH"
},
"details": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.",
"id": "GHSA-6qxg-cm55-g85x",
"modified": "2026-02-23T12:31:28Z",
"published": "2023-12-20T12:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6912"
},
{
"type": "WEB",
"url": "https://empower.m-files.com/security-advisories/CVE-2023-6912"
},
{
"type": "WEB",
"url": "https://product.m-files.com/security-advisories/cve-2023-6912"
},
{
"type": "WEB",
"url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6912"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6RMX-GVVG-VH6J
Vulnerability from github – Published: 2026-03-09 19:52 – Updated: 2026-03-09 19:52OpenClaw's hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-POST requests (for example GET) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key.
The fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return 405 Method Not Allowed without incrementing the hook auth limiter.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.3.2 - Patched version:
2026.3.7 - Latest published npm version at patch time:
2026.3.2
Impact
An unauthenticated network client that could reach /hooks/* could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery.
Fix Commit(s)
44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89
Verification
pnpm checkpassedpnpm test:fastpassed- focused hook regression tests passed
pnpm exec vitest run --config vitest.gateway.config.tsstill has unrelated current-mainfailures insrc/gateway/server-channels.test.tsandsrc/gateway/server-methods/agents-mutate.test.ts
Release Process Note
npm 2026.3.7 was published on March 8, 2026. This advisory is fixed in the released package.
Thanks @JNX03 for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.3.2"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-307",
"CWE-799"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-09T19:52:47Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "OpenClaw\u0027s hooks HTTP handler counted hook authentication failures before rejecting unsupported HTTP methods. An unauthenticated client could send repeated non-`POST` requests (for example `GET`) with an invalid token to consume the hook auth failure budget and trigger the temporary lockout window for that client key.\n\nThe fix moves the hook method gate ahead of auth-failure accounting so unsupported methods return `405 Method Not Allowed` without incrementing the hook auth limiter.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.3.2`\n- Patched version: `2026.3.7`\n- Latest published npm version at patch time: `2026.3.2`\n\n## Impact\n\nAn unauthenticated network client that could reach `/hooks/*` could temporarily lock out legitimate webhook delivery when requests collapsed to the same hook auth client key, such as shared proxy or NAT topologies. Impact is limited to temporary availability loss for hook-triggered wake or automation delivery.\n\n## Fix Commit(s)\n\n- `44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89`\n\n## Verification\n\n- `pnpm check` passed\n- `pnpm test:fast` passed\n- focused hook regression tests passed\n- `pnpm exec vitest run --config vitest.gateway.config.ts` still has unrelated current-`main` failures in `src/gateway/server-channels.test.ts` and `src/gateway/server-methods/agents-mutate.test.ts`\n\n## Release Process Note\n\nnpm `2026.3.7` was published on March 8, 2026. This advisory is fixed in the released package.\n\nThanks @JNX03 for reporting.",
"id": "GHSA-6rmx-gvvg-vh6j",
"modified": "2026-03-09T19:52:47Z",
"published": "2026-03-09T19:52:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6rmx-gvvg-vh6j"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/44820dceadac65ac7c0ce8fc0ffba8c2bd9fae89"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.7"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw\u0027s hooks count non-POST requests toward auth lockout"
}
GHSA-6V7H-6FVV-974M
Vulnerability from github – Published: 2023-05-30 18:30 – Updated: 2024-04-04 04:23An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.
{
"affected": [],
"aliases": [
"CVE-2023-23755"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-30T17:15:09Z",
"severity": "HIGH"
},
"details": "An issue was discovered in Joomla! 4.2.0 through 4.3.1. The lack of rate limiting allowed brute force attacks against MFA methods.",
"id": "GHSA-6v7h-6fvv-974m",
"modified": "2024-04-04T04:23:31Z",
"published": "2023-05-30T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-23755"
},
{
"type": "WEB",
"url": "https://developer.joomla.org/security-centre/900-20230502-core-bruteforce-prevention-within-the-mfa-screen.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6VF9-7Q6P-X646
Vulnerability from github – Published: 2024-11-12 18:31 – Updated: 2024-11-12 21:30An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim’s account and telephone number.
{
"affected": [],
"aliases": [
"CVE-2024-51720"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-12T18:15:46Z",
"severity": "MODERATE"
},
"details": "An insufficient entropy vulnerability in the SecuSUITE Secure Client Authentication (SCA) Server of SecuSUITE versions 5.0.420 and earlier could allow an attacker to potentially enroll an attacker-controlled device to the victim\u2019s account and telephone number.",
"id": "GHSA-6vf9-7q6p-x646",
"modified": "2024-11-12T21:30:51Z",
"published": "2024-11-12T18:31:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51720"
},
{
"type": "WEB",
"url": "https://support.blackberry.com/pkb/s/article/140220"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6VJ9-7994-7367
Vulnerability from github – Published: 2025-12-16 18:31 – Updated: 2025-12-16 21:30An issue was discovered in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router on firmware version V1.0.0 does not implement rate limiting to /api/login allowing attackers to brute force password enumerations.
{
"affected": [],
"aliases": [
"CVE-2025-65427"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-16T16:15:59Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router on firmware version V1.0.0 does not implement rate limiting to /api/login allowing attackers to brute force password enumerations.",
"id": "GHSA-6vj9-7994-7367",
"modified": "2025-12-16T21:30:54Z",
"published": "2025-12-16T18:31:32Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65427"
},
{
"type": "WEB",
"url": "https://github.com/kirubel-cve/CVE-2025-65427"
},
{
"type": "WEB",
"url": "http://dbit.com"
},
{
"type": "WEB",
"url": "http://shenzhen.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.