CVE-2026-7671

LOW

CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-7671. PoCs published by CaginKyr.

AI-analyzed exploit summary The repository contains a functional Python script that brute-forces a 4-digit OTP in the Tornet Scooter Mobile App 4.75 due to lack of rate limiting on the /TwoFactor endpoint. The PoC uses multi-threading to efficiently test OTP codes and logs results.

Description

A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Exploits (1)

nomisec WORKING POC

by CaginKyr · poc

https://github.com/CaginKyr/CVE-2026-7671

View Code ZIP pw:eip

The repository contains a functional Python script that brute-forces a 4-digit OTP in the Tornet Scooter Mobile App 4.75 due to lack of rate limiting on the /TwoFactor endpoint. The PoC uses multi-threading to efficiently test OTP codes and logs results.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Tornet Scooter Mobile App 4.75 (Android)

No auth needed

Prerequisites: valid phone number · access to the /TwoFactor endpoint

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 03, 2026 Full analysis →

References (4)

Core 4

Core References

Vdb Entry vdb-entry

VDB-360819 | CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication

https://vuldb.com/vuln/360819

Signature, Permissions Required signature permissions-required

VDB-360819 | CTI Indicators (IOB, IOC, TTP, IOA)

https://vuldb.com/vuln/360819/cti

Third Party Advisory third-party-advisory

Submit #799987 | CodeWise Technologies, Tornet Scooter (Mobile APP) 4.75 Improper Restriction of Excessive Authentication Attempts (CWE-3

https://vuldb.com/submit/799987

Exploit exploit

https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO

Scores

CVSS v3 3.7

EPSS 0.0056

EPSS Percentile 42.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-307 CWE-799

Status published

Products (1)

CodeWise/Tornet Scooter Mobile App 4.75

Published May 03, 2026

Tracked Since May 03, 2026