CVE-2025-51536
BaseFortify
Publication date: 2025-08-04
Last updated on: 2025-09-23
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| craws | openatlas | to 8.12.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1392 | The product uses default credentials (such as passwords or cryptographic keys) for potentially critical functionality. |
| CWE-798 | The product contains hard-coded credentials, such as a password or cryptographic key. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-51536 is a vulnerability in OpenAtlas v8.11.0 where the software installation process creates a hardcoded default administrator account with the username "OpenAtlas" and the password "change_me_PLEASE!". This hardcoded credential is publicly known and allows attackers to gain unauthorized administrative access to the system, posing a significant security risk. [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an attacker to log in with full administrator privileges without any authentication barriers, enabling complete takeover of the OpenAtlas application. This compromises the confidentiality, integrity, and availability of the system, potentially leading to unauthorized data access, data modification, or service disruption. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking if the OpenAtlas installation contains the default hardcoded administrator account with username "OpenAtlas" and password "/change_me_PLEASE!" (or "change_me_PLEASE!" as noted in some sources). For example, attempt to log in to the OpenAtlas application using these credentials. Additionally, you can scan for the presence of this default account by querying the user database or configuration files for the username "OpenAtlas". Specific commands depend on your system setup, but generally, verifying user accounts in the OpenAtlas user management interface or database is recommended. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to change the default administrative password immediately after installation to a strong, unique password. If possible, upgrade OpenAtlas to version 8.12.0 or later, which removes the automatic creation of the default admin user and requires manual creation of an admin account during installation. Until the upgrade, ensure that the default account is disabled or its password changed to prevent unauthorized access. [2]