Cyber Resilience

CVE-2025-22144

CriticalPublic PoC

Published: 13 January 2025

Published
13 January 2025
Modified
13 May 2025
KEV Added
Patch
CVSS Score v4 9.0 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0041 61.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22144 is a critical-severity Externally Controlled Reference to a Resource in Another Sphere (CWE-610) vulnerability in Namelessmc Nameless. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 38.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-22144 is a critical vulnerability (CVSS 9.8, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) in NamelessMC, a free website software for Minecraft servers. The flaw stems from improper handling of password reset codes during user validation. Specifically, when an account is approved via email, the reset_code remains NULL, but manual validation by a user with admincp.core.emails or admincp.users.edit permissions sets the reset_code to an empty value instead of NULL. This enables unauthorized password resets. The issue is linked to CWE-610 (Externally Controlled Reference to a Resource in Another Sphere) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Password).

An unauthenticated attacker can exploit this vulnerability remotely with low complexity and no user interaction by sending a request to the /forgot_password/ endpoint (e.g., http://localhost/nameless/index.php?route=/forgot_password/&c=). This allows the attacker to reset the password of any user account, resulting in full account takeover and potential compromise of associated Minecraft server access or other linked resources.

The NamelessMC GitHub security advisory (GHSA-p883-7496-x35p) and release notes for version 2.1.3 confirm the issue has been fixed in that update, urging all users to upgrade immediately. No workarounds are available.

EU & UK References

Vulnerability details

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the…

more

reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability in public-facing NamelessMC web app directly enables remote unauthenticated exploitation of weak password recovery for account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-63314Shared CWE-640
CVE-2026-29199Shared CWE-640
CVE-2026-40585Shared CWE-640
CVE-2020-37172Shared CWE-640
CVE-2026-1325Shared CWE-640
CVE-2022-50910Shared CWE-640
CVE-2026-42606Shared CWE-640
CVE-2026-25858Shared CWE-640
CVE-2026-26273Shared CWE-640
CVE-2024-42168Shared CWE-610

Affected Assets

namelessmc
nameless
≤ 2.1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely flaw remediation, directly mitigating this CVE by patching NamelessMC to version 2.1.3 which fixes the improper reset_code handling.

prevent

IA-5 mandates secure management of authenticators including procedures for password resets, preventing weak recovery mechanisms that allow unauthorized account takeovers.

prevent

SI-10 enforces validation of inputs like the password reset code parameter (&c=), blocking exploits using NULL or empty values to reset any user's password.

References