Cyber Resilience

CVE-2025-51536

CriticalPublic PoC

Published: 04 August 2025

Published
04 August 2025
Modified
23 September 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0055 68.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-51536 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Craws Openatlas. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 31.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-51536 is a critical vulnerability in OpenAtlas version 8.11.0, software developed by the Austrian Archaeological Institute (ÖAI). The issue involves a hardcoded Administrator password, violating CWE-798 (Use of Hard-coded Credentials) and CWE-1392 (Use of Default Credentials). Published on 2025-08-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its severe potential impact.

Any remote attacker with network access can exploit this vulnerability due to its low attack complexity, lack of required privileges, and absence of user interaction. Exploitation allows unauthenticated login as the Administrator, providing complete control over the system and enabling high confidentiality, integrity, and availability impacts, such as data exfiltration, modification, or denial of service.

Advisories published by sec4you-pentest.com, available at https://www.sec4you-pentest.com/schwachstelle/openatlas-standard-adminkonto-mit-hartcodiertem-passwort/ and https://www.sec4you-pentest.com/schwachstellen/, document the flaw and provide details for security practitioners to address it.

EU & UK References

Vulnerability details

Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hardcoded default administrator credentials (OpenAtlas/change_me_PLEASE!) enable use of default accounts for unauthenticated remote access and full application takeover.

CVEs Like This One

CVE-2025-60915Same product: Craws Openatlas
CVE-2025-51534Same product: Craws Openatlas
CVE-2023-27573Shared CWE-1392, CWE-798
CVE-2026-23781Shared CWE-798
CVE-2025-30122Shared CWE-798
CVE-2026-29119Shared CWE-798
CVE-2026-24346Shared CWE-798
CVE-2025-1160Shared CWE-1392
CVE-2024-46433Shared CWE-798
CVE-2026-26341Shared CWE-1392

Affected Assets

craws
openatlas
≤ 8.12.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prohibits the use of hard-coded authenticators, addressing the root cause of the hardcoded Administrator password in OpenAtlas.

prevent

Mandates timely identification, reporting, and correction of software flaws like this hardcoded credential vulnerability to prevent remote exploitation.

prevent

Supports management of accounts by enabling disabling or securing the vulnerable Administrator account to mitigate unauthorized access risks.

References