CVE-2019-17240

CRITICAL

Bludit 3.9.2 - Authentication Bruteforce Mitigation Bypass via X-Forwarded-For Header

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 12 public exploits for CVE-2019-17240. PoCs published by Mayank Deshmukh, Alexandre ZANNI, pingport80.

AI-analyzed exploit summary This exploit bypasses the brute-force mitigation in Bludit <= 3.9.2 by manipulating the X-Forwarded-For header to avoid IP-based blocking. It performs a credential brute-force attack using provided username and password lists.

Description

bl-kernel/security.class.php in Bludit 3.9.2 allows attackers to bypass a brute-force protection mechanism by using many different forged X-Forwarded-For or Client-IP HTTP headers.

Exploits (12)

exploitdb WORKING POC VERIFIED
by Mayank Deshmukh · pythonwebappsphp
https://www.exploit-db.com/exploits/48942

This exploit bypasses the brute-force mitigation in Bludit <= 3.9.2 by manipulating the X-Forwarded-For header to avoid IP-based blocking. It performs a credential brute-force attack using provided username and password lists.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Bludit <= 3.9.2
No auth needed
Prerequisites: valid target URL · username list · password list
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Alexandre ZANNI · rubywebappsphp
https://www.exploit-db.com/exploits/48746

This Ruby script exploits CVE-2019-17240, a brute-force mitigation bypass in Bludit <= 3.9.2. It bypasses IP-based rate limiting by manipulating the 'X-Forwarded-For' header to brute-force admin credentials.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Bludit <= 3.9.2
No auth needed
Prerequisites: valid admin username · password wordlist
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 3 stars
by pingport80 · poc
https://github.com/pingport80/CVE-2019-17240

This repository contains a functional Python script that exploits CVE-2019-17240, a brute-force mitigation bypass in Bludit CMS versions prior to 3.9.2. The exploit leverages the X-Forwarded-For header to bypass login attempt restrictions and includes a multi-threaded brute-force attack with CSRF token handling.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Bludit CMS < 3.9.2
No auth needed
Prerequisites: Target URL · Valid username · Password wordlist
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 2 stars
by ColdFusionX · poc
https://github.com/ColdFusionX/CVE-2019-17240_Bludit-BF-Bypass

This repository contains a functional Python exploit for CVE-2019-17240, which bypasses the brute-force mitigation mechanism in Bludit CMS versions <= 3.9.2. The exploit uses the X-Forwarded-For header to bypass rate-limiting and attempts credential brute-forcing against the login endpoint.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Bludit CMS <= 3.9.2
No auth needed
Prerequisites: Target URL with Bludit login page · Username and password wordlists
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by 0xDTC · poc
https://github.com/0xDTC/Bludit-3.9.2-Auth-Bruteforce-Bypass-CVE-2019-17240

This repository contains a Bash script that exploits CVE-2019-17240, a vulnerability in Bludit CMS <= 3.9.2 allowing brute-force attacks by bypassing CSRF token protection. The script dynamically fetches CSRF tokens and attempts login with a provided password list.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Bludit CMS <= 3.9.2
No auth needed
Prerequisites: curl · Bash shell · valid URL · username · password file
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC 1 stars
by spyx · poc
https://github.com/spyx/cve-2019-17240

This repository contains a functional Go-based brute-force mitigation bypass exploit for Bludit CMS versions <= 3.9.22. The exploit automates credential brute-forcing by bypassing CSRF protections and leveraging the X-Forwarded-For header to evade rate-limiting.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Bludit CMS <= 3.9.22
No auth needed
Prerequisites: Valid username · Password wordlist · Access to the login page
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
gitlab WORKING POC
by quizno · poc
https://gitlab.com/quizno/cve-2019-17240-exploit

This script exploits CVE-2019-17240, an authentication bypass vulnerability in Vembu BDR Suite. It brute-forces credentials by injecting passwords via the X-Forwarded-For header while bypassing CSRF protection.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Vembu BDR Suite
No auth needed
Prerequisites: valid username · wordlist of passwords
devstral-2 · analyzed Feb 23, 2026 Full analysis →
nomisec WORKING POC
by mind2hex · poc
https://github.com/mind2hex/CVE-2019-17240-Bludit-3.9.2-Auth-Bruteforce-Bypass

This repository contains a functional Python script that exploits CVE-2019-17240, an authentication bruteforce bypass vulnerability in Bludit 3.9.2. The script automates credential brute-forcing by bypassing rate-limiting mechanisms and handling CSRF tokens.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Bludit 3.9.2
No auth needed
Prerequisites: Network access to the Bludit admin panel · Valid username or username list
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by brunosergi · poc
https://github.com/brunosergi/bloodit

This repository contains a functional Python script that exploits CVE-2019-17240, an authentication brute-force bypass vulnerability in Bludit CMS versions <= 3.9.2. The script automates the brute-force attack by leveraging CSRF token extraction and bypassing rate-limiting mechanisms.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Bludit CMS <= 3.9.2
No auth needed
Prerequisites: Target Bludit CMS login page URL · Wordlist of passwords
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by jayngng · poc
https://github.com/jayngng/bludit-CVE-2019-17240

This repository contains a functional Python exploit for CVE-2019-17240, which bypasses Bludit's authentication and uploads a malicious PHP payload to achieve remote code execution via a reverse shell. The exploit leverages CSRF token extraction and file upload manipulation.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Bludit CMS (versions affected by CVE-2019-17240)
No auth needed
Prerequisites: Network access to the target Bludit instance · Knowledge of valid credentials or ability to bypass authentication
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by triple-octopus · poc
https://github.com/triple-octopus/Bludit-CVE-2019-17240-Fork

This repository contains a functional brute-force exploit for CVE-2019-17240, targeting Bludit CMS. The script bypasses brute-force mitigation by injecting passwords via the X-Forwarded-For header while attempting authentication.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Bludit CMS (versions affected by CVE-2019-17240)
No auth needed
Prerequisites: Target URL · Valid username · Password wordlist
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →
nomisec WORKING POC
by LucaReggiannini · poc
https://github.com/LucaReggiannini/Bludit-3-9-2-bb

This repository contains a functional Python script that exploits CVE-2019-17240, an authentication bypass vulnerability in Bludit 3.9.2. The script performs a brute-force attack by leveraging the 'X-Forwarded-For' header to bypass login restrictions.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Bludit 3.9.2
No auth needed
Prerequisites: Access to the Bludit login page · Lists of usernames and passwords
MITRE ATT&CK
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory x_refsource_misc
https://rastating.github.io/bludit-brute-force-mitigation-bypass/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/bludit/bludit/pull/1090

Scores

CVSS v3 9.8
EPSS 0.8031
EPSS Percentile 99.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-307
Status published
Products (1)
bludit/bludit 3.9.2
Published Oct 06, 2019
Tracked Since Feb 18, 2026