CWE-307
AllowedImproper Restriction of Excessive Authentication Attempts
Abstraction: Base · Status: Draft
The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
905 vulnerabilities reference this CWE, most recent first.
GHSA-M39F-RG22-Q2X7
Vulnerability from github – Published: 2026-06-03 18:33 – Updated: 2026-06-04 15:30Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).
{
"affected": [],
"aliases": [
"CVE-2026-36612"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-03T18:16:22Z",
"severity": "MODERATE"
},
"details": "Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).",
"id": "GHSA-m39f-rg22-q2x7",
"modified": "2026-06-04T15:30:32Z",
"published": "2026-06-03T18:33:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-36612"
},
{
"type": "WEB",
"url": "https://github.com/Tymbark7372/MERCUSYS-AC12G/blob/master/advisories/CVE-2026-36612.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M4CP-R954-7X4C
Vulnerability from github – Published: 2025-06-26 21:31 – Updated: 2025-06-26 21:31A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA Handler. The manipulation leads to authentication bypass by capture-replay. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
{
"affected": [],
"aliases": [
"CVE-2025-6533"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-06-24T00:15:26Z",
"severity": "MODERATE"
},
"details": "A vulnerability, which was classified as critical, has been found in xxyopen/201206030 novel-plus up to 5.1.3. Affected by this issue is the function ajaxLogin of the file novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java of the component CATCHA Handler. The manipulation leads to authentication bypass by capture-replay. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
"id": "GHSA-m4cp-r954-7x4c",
"modified": "2025-06-26T21:31:03Z",
"published": "2025-06-26T21:31:03Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6533"
},
{
"type": "WEB",
"url": "https://blog.0xd00.com/blog/captcha-replay-attack-lead-to-brute-force-protection-bypass"
},
{
"type": "WEB",
"url": "https://blog.0xd00.com/blog/captcha-replay-attack-lead-to-brute-force-protection-bypass#poc"
},
{
"type": "WEB",
"url": "https://vuldb.com/?ctiid.313652"
},
{
"type": "WEB",
"url": "https://vuldb.com/?id.313652"
},
{
"type": "WEB",
"url": "https://vuldb.com/?submit.596481"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-M4WF-GF4J-873F
Vulnerability from github – Published: 2025-07-29 15:31 – Updated: 2025-07-29 21:30Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack.
{
"affected": [],
"aliases": [
"CVE-2025-28172"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-07-29T15:15:34Z",
"severity": "MODERATE"
},
"details": "Grandstream Networks UCM6510 v1.0.20.52 and before is vulnerable to Improper Restriction of Excessive Authentication Attempts. An attacker can perform an arbitrary number of authentication attempts using different passwords and eventually gain access to the targeted account using a brute force attack.",
"id": "GHSA-m4wf-gf4j-873f",
"modified": "2025-07-29T21:30:42Z",
"published": "2025-07-29T15:31:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-28172"
},
{
"type": "WEB",
"url": "https://gist.github.com/Exek1el/6291185a87c98d4229181212b2bd5cdf"
},
{
"type": "WEB",
"url": "http://grandstream.com"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M538-HXPG-3FVH
Vulnerability from github – Published: 2022-05-13 01:32 – Updated: 2022-05-13 01:32An Improper Restriction of Excessive Authentication Attempts issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. An improper restriction of excessive authentication vulnerability in the web interface has been identified, which may allow an attacker to brute force authentication.
{
"affected": [],
"aliases": [
"CVE-2018-5469"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-03-06T21:29:00Z",
"severity": "CRITICAL"
},
"details": "An Improper Restriction of Excessive Authentication Attempts issue was discovered in Belden Hirschmann RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic Platform Switches. An improper restriction of excessive authentication vulnerability in the web interface has been identified, which may allow an attacker to brute force authentication.",
"id": "GHSA-m538-hxpg-3fvh",
"modified": "2022-05-13T01:32:06Z",
"published": "2022-05-13T01:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5469"
},
{
"type": "WEB",
"url": "https://ics-cert.us-cert.gov/advisories/ICSA-18-065-01"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/103340"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M58F-9PVV-8MP2
Vulnerability from github – Published: 2025-10-23 12:31 – Updated: 2025-10-24 20:58Moodle's mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0-beta"
},
{
"fixed": "5.0.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.0-beta"
},
{
"fixed": "4.5.7"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "4.2.0-beta"
},
{
"fixed": "4.4.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "moodle/moodle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.1.21"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-62399"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-24T20:58:12Z",
"nvd_published_at": "2025-10-23T12:15:32Z",
"severity": "HIGH"
},
"details": "Moodle\u0027s mobile and web service authentication endpoints did not sufficiently restrict repeated password attempts, making them susceptible to brute-force attacks.",
"id": "GHSA-m58f-9pvv-8mp2",
"modified": "2025-10-24T20:58:12Z",
"published": "2025-10-23T12:31:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62399"
},
{
"type": "WEB",
"url": "https://github.com/moodle/moodle/commit/e4d02567c922c537086de9f59f063ca073552a3a"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2025-62399"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2404432"
},
{
"type": "PACKAGE",
"url": "https://github.com/moodle/moodle"
},
{
"type": "WEB",
"url": "https://moodle.org/mod/forum/discuss.php?d=470388"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Moodle vulnerable to brute-force password guesses"
}
GHSA-M5C3-3GVF-Q8J5
Vulnerability from github – Published: 2022-05-24 17:07 – Updated: 2024-04-24 20:40The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "dolibarr/dolibarr"
},
"versions": [
"10.0.6"
]
}
],
"aliases": [
"CVE-2020-7995"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-24T20:40:17Z",
"nvd_published_at": "2020-01-26T23:15:00Z",
"severity": "CRITICAL"
},
"details": "The htdocs/index.php?mainmenu=home login page in Dolibarr 10.0.6 allows an unlimited rate of failed authentication attempts.",
"id": "GHSA-m5c3-3gvf-q8j5",
"modified": "2024-04-24T20:40:17Z",
"published": "2022-05-24T17:07:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-7995"
},
{
"type": "PACKAGE",
"url": "https://github.com/Dolibarr/dolibarr"
},
{
"type": "WEB",
"url": "https://github.com/tufangungor/tufangungor.github.io/blob/master/_posts/2020-01-19-dolibarr-10.0.6-brute-force.md"
},
{
"type": "WEB",
"url": "https://tufangungor.github.io/exploit/2020/01/18/dolibarr-10.0.6-brute-force.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/163541/Dolibarr-ERP-CRM-10.0.6-Login-Brute-Forcer.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Dolibarr Improper Restriction of Excessive Authentication Attempts"
}
GHSA-M5CP-32QG-99GF
Vulnerability from github – Published: 2022-06-09 00:00 – Updated: 2022-06-16 00:00An issue was discovered in certain Verbatim drives through 2022-03-31. The security feature for lockout (e.g., requiring a reformat of the drive after 20 failed unlock attempts) does not work as specified. More than 20 attempts may be made. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 and Store 'n' Go Secure Portable HDD GD25LK01-3637-C VER4.0.
{
"affected": [],
"aliases": [
"CVE-2022-28386"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-08T17:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in certain Verbatim drives through 2022-03-31. The security feature for lockout (e.g., requiring a reformat of the drive after 20 failed unlock attempts) does not work as specified. More than 20 attempts may be made. This affects Keypad Secure USB 3.2 Gen 1 Drive Part Number #49428 and Store \u0027n\u0027 Go Secure Portable HDD GD25LK01-3637-C VER4.0.",
"id": "GHSA-m5cp-32qg-99gf",
"modified": "2022-06-16T00:00:26Z",
"published": "2022-06-09T00:00:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-28386"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-004.txt"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-008.txt"
},
{
"type": "WEB",
"url": "https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-046.txt"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167492/Verbatim-Keypad-Secure-USB-3.2-Gen-1-Drive-Passcode-Retry.html"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/167509/Verbatim-Store-N-Go-Secure-Portable-HDD-GD25LK01-3637-C-VER4.0-Behavior-Violation.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jun/11"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Jun/20"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2022/Oct/6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-M5MF-3963-4X26
Vulnerability from github – Published: 2025-02-19 17:47 – Updated: 2025-02-19 20:00Summary
If users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to the regulation limitations being effectively doubled assuming an attacker using brute-force to find a user password. It's important to note that due to the effective operation of regulation where no user-facing sign of their regulation ban being visible either via timing or via API responses, it's effectively impossible to determine if a failure occurs due to a bad username password combination, or a effective ban blocking the attempt which heavily mitigates any form of brute-force.
Details
This occurs because the records and counting process for this system uses the method utilized for sign in rather than the effective username attribute.
Impact
This has a minimal impact on account security, this impact is increased naturally in scenarios when there is no two-factor authentication required and weak passwords are used. This makes it a bit easier to brute-force a password.
Workarounds
- Do not heavily modify the default settings in a way that ends up with shorter or less frequent regulation bans. The default settings effectively mitigate any potential for this issue to be exploited.
- Disable the ability for users to login via an email address.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/authelia/authelia/v4"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.38.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-24806"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": true,
"github_reviewed_at": "2025-02-19T17:47:47Z",
"nvd_published_at": "2025-02-19T18:15:24Z",
"severity": "LOW"
},
"details": "### Summary\n\nIf users are allowed to sign in via both username and email the regulation system treats these as separate login events. This leads to the regulation limitations being effectively doubled assuming an attacker using brute-force to find a user password. It\u0027s important to note that due to the effective operation of regulation where no user-facing sign of their regulation ban being visible either via timing or via API responses, it\u0027s effectively impossible to determine if a failure occurs due to a bad username password combination, or a effective ban blocking the attempt which heavily mitigates any form of brute-force.\n\n### Details\n\nThis occurs because the records and counting process for this system uses the method utilized for sign in rather than the effective username attribute.\n\n### Impact\n\nThis has a minimal impact on account security, this impact is increased naturally in scenarios when there is no two-factor authentication required and weak passwords are used. This makes it a bit easier to brute-force a password.\n\n### Workarounds\n\n1. Do not heavily modify the default settings in a way that ends up with shorter or less frequent regulation bans. The default settings effectively mitigate any potential for this issue to be exploited.\n2. Disable the ability for users to login via an email address.",
"id": "GHSA-m5mf-3963-4x26",
"modified": "2025-02-19T20:00:06Z",
"published": "2025-02-19T17:47:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/authelia/authelia/security/advisories/GHSA-m5mf-3963-4x26"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24806"
},
{
"type": "WEB",
"url": "https://github.com/authelia/authelia/commit/d4a54189aa6563912f9427b96dcb01eacafa785c"
},
{
"type": "PACKAGE",
"url": "https://github.com/authelia/authelia"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Authelia applies regulation separately to Username-based logins to Email-based logins"
}
GHSA-M69G-HG7G-39H3
Vulnerability from github – Published: 2022-05-13 01:42 – Updated: 2022-05-13 01:42IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 123672.
{
"affected": [],
"aliases": [
"CVE-2017-1197"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2017-06-15T13:29:00Z",
"severity": "CRITICAL"
},
"details": "IBM BigFix Compliance (TEMA SUAv1 SCA SCM) uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. IBM X-Force ID: 123672.",
"id": "GHSA-m69g-hg7g-39h3",
"modified": "2022-05-13T01:42:36Z",
"published": "2022-05-13T01:42:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1197"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/123672"
},
{
"type": "WEB",
"url": "http://www.ibm.com/support/docview.wss?uid=swg22004170"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-M6GH-58PH-RM3Q
Vulnerability from github – Published: 2023-12-18 21:30 – Updated: 2023-12-22 21:30The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn't be too long, as the 2FA codes are 6 digits.
{
"affected": [],
"aliases": [
"CVE-2023-6272"
],
"database_specific": {
"cwe_ids": [
"CWE-307"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-18T20:15:08Z",
"severity": "CRITICAL"
},
"details": "The Theme My Login 2FA WordPress plugin before 1.2 does not rate limit 2FA validation attempts, which may allow an attacker to brute-force all possibilities, which shouldn\u0027t be too long, as the 2FA codes are 6 digits.",
"id": "GHSA-m6gh-58ph-rm3q",
"modified": "2023-12-22T21:30:21Z",
"published": "2023-12-18T21:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6272"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/a03243ea-fee7-46e4-8037-a228afc5297a"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Common protection mechanisms include:
- Disconnecting the user after a small number of failed attempts
- Implementing a timeout
- Locking out a targeted account
- Requiring a computational task on the user's part.
Mitigation MIT-4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482].
- Consider using libraries with authentication capabilities such as OpenSSL or the ESAPI Authenticator. [REF-45]
CAPEC-16: Dictionary-based Password Attack
An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations). This is a specific instance of the password brute forcing attack pattern.
Dictionary Attacks differ from similar attacks such as Password Spraying (CAPEC-565) and Credential Stuffing (CAPEC-600), since they leverage unknown username/password combinations and don't care about inducing account lockouts.
CAPEC-49: Password Brute Forcing
An adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.
CAPEC-560: Use of Known Domain Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate credentials (e.g. userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.
CAPEC-565: Password Spraying
In a Password Spraying attack, an adversary tries a small list (e.g. 3-5) of common or expected passwords, often matching the target's complexity policy, against a known list of user accounts to gain valid credentials. The adversary tries a particular password for each user account, before moving onto the next password in the list. This approach assists the adversary in remaining undetected by avoiding rapid or frequent account lockouts. The adversary may then reattempt the process with additional passwords, once enough time has passed to prevent inducing a lockout.
CAPEC-600: Credential Stuffing
An adversary tries known username/password combinations against different systems, applications, or services to gain additional authenticated access. Credential Stuffing attacks rely upon the fact that many users leverage the same username/password combination for multiple systems, applications, and services.
CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
CAPEC-653: Use of Known Operating System Credentials
An adversary guesses or obtains (i.e. steals or purchases) legitimate operating system credentials (e.g. userID/password) to achieve authentication and to perform authorized actions on the system, under the guise of an authenticated user or service. This applies to any Operating System.