CVE-2025-51536

CriticalPublic PoC

Published: 04 August 2025

Published

04 August 2025

Modified

23 September 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-51536 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Craws Openatlas. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

Directly prohibits the use of hard-coded authenticators, addressing the root cause of the hardcoded Administrator password in OpenAtlas.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of software flaws like this hardcoded credential vulnerability to prevent remote exploitation.

AC-2 Account Management partial match

prevent

Supports management of accounts by enabling disabling or securing the vulnerable Administrator account to mitigate unauthorized access risks.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Hardcoded default administrator credentials (OpenAtlas/change_me_PLEASE!) enable use of default accounts for unauthenticated remote access and full application takeover.

NVD Description

Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password.

Deeper analysisAI

CVE-2025-51536 is a critical vulnerability in OpenAtlas version 8.11.0, software developed by the Austrian Archaeological Institute (ÖAI). The issue involves a hardcoded Administrator password, violating CWE-798 (Use of Hard-coded Credentials) and CWE-1392 (Use of Default Credentials). Published on 2025-08-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its severe potential impact.

Any remote attacker with network access can exploit this vulnerability due to its low attack complexity, lack of required privileges, and absence of user interaction. Exploitation allows unauthenticated login as the Administrator, providing complete control over the system and enabling high confidentiality, integrity, and availability impacts, such as data exfiltration, modification, or denial of service.

Advisories published by sec4you-pentest.com, available at https://www.sec4you-pentest.com/schwachstelle/openatlas-standard-adminkonto-mit-hartcodiertem-passwort/ and https://www.sec4you-pentest.com/schwachstellen/, document the flaw and provide details for security practitioners to address it.