CVE-2025-63314
Unknown Unknown - Not Provided
Static Password Reset Token in Acora CMS 10.7.1 Enables Account Takeover

Publication date: 2026-01-12

Last updated on: 2026-01-12

Assigner: MITRE

Description
A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-01-12
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63314
EUVD
EUVD-2026-1916
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ddsn_interactive acora_cms 10.7.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the password reset function of DDSN Interactive Acora CMS version 10.7.1. The password reset tokens are static and persistent, meaning they do not expire or get invalidated after use. An attacker who obtains a valid reset token can reuse it indefinitely to reset user passwords arbitrarily. This allows the attacker to take over user accounts, including privileged administrator accounts, through replay attacks. [1]

Impact Analysis

The vulnerability can lead to a full account takeover by attackers, allowing them to reset passwords repeatedly without detection. This can result in unauthorized access to user accounts, privilege escalation, and compromise of sensitive data or administrative control within the affected system. [1]

Detection Guidance

Detection involves monitoring for reuse of static password reset tokens in Acora CMS v10.7.1. Since the tokens are static and persistent, you can look for repeated password reset requests using the same token. Commands to inspect web server logs for repeated password reset token usage or unusual password reset activity may help. For example, using grep to search logs for password reset token parameters: grep 'reset_token=' /var/log/apache2/access.log or equivalent. Additionally, monitoring network traffic for repeated password reset requests with identical tokens could help detect exploitation attempts. [1]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting the password reset functionality in Acora CMS v10.7.1 until a patch or update is available. Implement manual password resets by administrators rather than relying on the vulnerable reset mechanism. Monitor and audit password reset requests for suspicious activity. Additionally, ensure that any obtained reset tokens are invalidated and consider resetting passwords for critical accounts. Applying any available updates or patches from the vendor once released is also essential. [1]

Compliance Impact

The vulnerability allows attackers to arbitrarily reset user passwords and take over accounts, including privileged administrator accounts, through replay attacks using static password reset tokens. This unauthorized access and potential data breach could lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require protection of user data and secure authentication mechanisms. However, specific impacts on compliance are not detailed in the provided resources. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63314. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart