CVE-2025-63314
CriticalCVSS 10.0Exploitation Probability (EPSS)
Low risk18th percentile - higher than 18% of all known CVEs
Summary
In DDSN Interactive Acora CMS v10.7.1, the password reset function uses a static token, allowing an attacker to reuse the same token to reset any user's password and perform a full account takeover.
Risk Assessment
An attacker can take over an administrator or other privileged account, gaining full access to the CMS system and its stored data.
Recommendation
Immediately update Acora CMS to the latest version that fixes this vulnerability and enforce the use of one-time, random password reset tokens.
Original NVD description (English source)
A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.

