CVE-2025-63314
Static Password Reset Token in Acora CMS 10.7.1 Enables Account Takeover
Publication date: 2026-01-12
Last updated on: 2026-01-12
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ddsn_interactive | acora_cms | 10.7.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the password reset function of DDSN Interactive Acora CMS version 10.7.1. The password reset tokens are static and persistent, meaning they do not expire or get invalidated after use. An attacker who obtains a valid reset token can reuse it indefinitely to reset user passwords arbitrarily. This allows the attacker to take over user accounts, including privileged administrator accounts, through replay attacks. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to arbitrarily reset user passwords and take over accounts, including privileged administrator accounts, through replay attacks using static password reset tokens. This unauthorized access and potential data breach could lead to non-compliance with standards and regulations such as GDPR and HIPAA, which require protection of user data and secure authentication mechanisms. However, specific impacts on compliance are not detailed in the provided resources. [1]
How can this vulnerability impact me? :
The vulnerability can lead to a full account takeover by attackers, allowing them to reset passwords repeatedly without detection. This can result in unauthorized access to user accounts, privilege escalation, and compromise of sensitive data or administrative control within the affected system. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for reuse of static password reset tokens in Acora CMS v10.7.1. Since the tokens are static and persistent, you can look for repeated password reset requests using the same token. Commands to inspect web server logs for repeated password reset token usage or unusual password reset activity may help. For example, using grep to search logs for password reset token parameters: grep 'reset_token=' /var/log/apache2/access.log or equivalent. Additionally, monitoring network traffic for repeated password reset requests with identical tokens could help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling or restricting the password reset functionality in Acora CMS v10.7.1 until a patch or update is available. Implement manual password resets by administrators rather than relying on the vulnerable reset mechanism. Monitor and audit password reset requests for suspicious activity. Additionally, ensure that any obtained reset tokens are invalidated and consider resetting passwords for critical accounts. Applying any available updates or patches from the vendor once released is also essential. [1]