CVE-2025-24968
Published: 04 February 2025
Summary
CVE-2025-24968 is a high-severity Improper Access Control (CWE-284) vulnerability in Yogeshojha Rengine. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 42.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent low-privilege roles like penetration_tester or auditor from deleting all projects.
Applies least privilege to ensure roles such as penetration_tester or auditor lack permissions for unrestricted project deletion.
Manages accounts and role memberships to avoid assigning excessive privileges that enable mass project deletion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthorized deletion of all projects (T1485 Data Destruction) due to improper access control bypass from low-priv roles, directly facilitating privilege escalation (T1068) to perform account creation (T1136) and manipulation (T1098) for full system takeover.
NVD Description
reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as `penetration_tester` or `auditor` to delete all projects in the system. This can lead to a complete system takeover by…
more
redirecting the attacker to the onboarding page, where they can add or modify users, including Sys Admins, and configure critical settings like API keys and user preferences. This issue affects all versions up to and including 2.20. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds.
Deeper analysisAI
CVE-2025-24968 is an unrestricted project deletion vulnerability in reNgine, an automated reconnaissance framework for web applications. Attackers with specific roles, such as penetration_tester or auditor, can delete all projects in the system, bypassing intended restrictions. This flaw, linked to CWE-284 (Improper Access Control), affects all versions up to and including 2.20 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H).
An authenticated attacker possessing a low-privilege role like penetration_tester or auditor can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows deletion of all projects, which redirects the attacker to the onboarding page. From there, they achieve complete system takeover by adding or modifying users—including creating Sys Admins—and configuring critical settings such as API keys and user preferences.
The GitHub security advisory (GHSA-3327-6x79-q396) recommends that users monitor the reNgine project repository for future releases that address this issue, as no patches or known workarounds are currently available.
Details
- CWE(s)