CVE-2025-3129 – This vulnerability allows attackers to perform ... (How to Fix)

Q: What is the severity of CVE-2025-3129?

CVE-2025-3129 has a CVSS score of 4.8 (MEDIUM). This vulnerability allows attackers to perform brute force attacks against Drupal Access code authentication mechanisms due to insufficient rate limiting. It affects all Drupal sites using Access code module versions before 2.0.4. Attackers could potentially guess valid credentials through repeated authentication attempts.

📋 TL;DR

This vulnerability allows attackers to perform brute force attacks against Drupal Access code authentication mechanisms due to insufficient rate limiting. It affects all Drupal sites using Access code module versions before 2.0.4. Attackers could potentially guess valid credentials through repeated authentication attempts.

💻 Affected Systems

Products:

Drupal Access code module

Versions: 0.0.0 through 2.0.3

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Drupal installations with the Access code module enabled.

📦 What is this software?

Access Code by Access Code Project

View all CVEs affecting Access Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized administrative access to Drupal sites, leading to complete system compromise, data theft, or site defacement.

🟠

Likely Case

Attackers gain access to user accounts with limited privileges, potentially escalating to higher privileges through other vulnerabilities.

🟢

If Mitigated

Failed authentication attempts are logged but no unauthorized access occurs due to strong password policies and monitoring.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Brute force attacks require no special tools or knowledge beyond basic scripting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.0.4

Vendor Advisory: https://www.drupal.org/sa-contrib-2025-028

Restart Required: No

Instructions:

1. Update Drupal Access code module to version 2.0.4 via Drupal's update manager or Composer. 2. Clear Drupal caches. 3. Verify the update was successful.

🔧 Temporary Workarounds

Implement Web Application Firewall Rate Limiting

all

Configure WAF or reverse proxy to limit authentication attempts per IP address

Enable Drupal Flood Control

linux

Configure Drupal's built-in flood control mechanism for login attempts

drush config-set flood.limit 5
drush config-set flood.interval 3600

🧯 If You Can't Patch

Implement network-level rate limiting for authentication endpoints
Enable multi-factor authentication for all user accounts

🔍 How to Verify

Check if Vulnerable:

Check Drupal module version via admin interface or drush command: drush pm-list | grep access_code

Check Version:

drush pm-list | grep access_code

Verify Fix Applied:

Confirm module version is 2.0.4 or higher using same command

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from single IP address
Unusual authentication patterns outside business hours

Network Indicators:

High volume of POST requests to /user/login endpoint
Traffic patterns showing credential stuffing behavior

SIEM Query:

source="drupal.log" "Access denied" | stats count by src_ip | where count > 10

📊 Metadata

CVE ID: CVE-2025-3129

CVSS v3 Score: 4.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE: CWE-307

EPSS Score: 0.11% exploit probability (29.3th percentile)

Published: April 2, 2025

Last Updated: September 2, 2025

🔗 References

https://www.drupal.org/sa-contrib-2025-028 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-3129, you might also want to check these: