CVE Catalog

CVE-2025-63314

CriticalCVSS 10.0
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.26%

18th percentile - higher than 18% of all known CVEs

Summary

In DDSN Interactive Acora CMS v10.7.1, the password reset function uses a static token, allowing an attacker to reuse the same token to reset any user's password and perform a full account takeover.

Risk Assessment

An attacker can take over an administrator or other privileged account, gaining full access to the CMS system and its stored data.

Recommendation

Immediately update Acora CMS to the latest version that fixes this vulnerability and enforce the use of one-time, random password reset tokens.

Original NVD description (English source)

A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS