OpenEMR 7.0.1 contains an authentication brute force vulnerability that allows attackers to bypass rate limiting protections by sending repeated login attempts to the main login endpoint. Attackers can submit POST requests with authUser and clearPass parameters to systematically test username and password combinations without account lockout restrictions.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2023-54347 exposes a critical authentication weakness in OpenEMR 7.0.1 where rate limiting protections fail to prevent brute force attacks against the login endpoint. Attackers can submit unlimited POST requests containing username and password combinations (authUser and clearPass parameters) without triggering account lockout or IP-based restrictions. This vulnerability directly threatens healthcare organizations relying on OpenEMR for electronic health records, potentially allowing unauthorized access to sensitive patient data, medical records, and administrative functions. The attack requires no special privileges or authentication—any attacker with network access to the login page can systematically enumerate valid credentials.
While this CVE does not map to specific MITRE ATT&CK techniques in its current classification, Casky's AI-driven security skills detect the underlying attack patterns associated with credential access and account takeover. Practitioners using Casky would observe findings related to T1110 (Brute Force), T1078 (Valid Accounts), and T1021 (Remote Services) through detection of repeated failed authentication attempts, abnormal login velocity from single sources, and successful authentication following brute force patterns. Claude's extended reasoning capabilities enable Casky to correlate multiple login attempts across time windows, identify distributed attack signatures, and distinguish legitimate failed logins from systematic credential testing—allowing security teams to detect and block brute force campaigns before accounts are compromised.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2023-54347. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation