CVE-2025-51536
Published: 04 August 2025
Summary
CVE-2025-51536 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Craws Openatlas. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked in the top 31.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-51536 is a critical vulnerability in OpenAtlas version 8.11.0, software developed by the Austrian Archaeological Institute (ÖAI). The issue involves a hardcoded Administrator password, violating CWE-798 (Use of Hard-coded Credentials) and CWE-1392 (Use of Default Credentials). Published on 2025-08-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its severe potential impact.
Any remote attacker with network access can exploit this vulnerability due to its low attack complexity, lack of required privileges, and absence of user interaction. Exploitation allows unauthenticated login as the Administrator, providing complete control over the system and enabling high confidentiality, integrity, and availability impacts, such as data exfiltration, modification, or denial of service.
Advisories published by sec4you-pentest.com, available at https://www.sec4you-pentest.com/schwachstelle/openatlas-standard-adminkonto-mit-hartcodiertem-passwort/ and https://www.sec4you-pentest.com/schwachstellen/, document the flaw and provide details for security practitioners to address it.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23504
Vulnerability details
Austrian Archaeological Institute (AI) OpenAtlas v8.11.0 as discovered to contain a hardcoded Administrator password.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded default administrator credentials (OpenAtlas/change_me_PLEASE!) enable use of default accounts for unauthenticated remote access and full application takeover.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prohibits the use of hard-coded authenticators, addressing the root cause of the hardcoded Administrator password in OpenAtlas.
Mandates timely identification, reporting, and correction of software flaws like this hardcoded credential vulnerability to prevent remote exploitation.
Supports management of accounts by enabling disabling or securing the vulnerable Administrator account to mitigate unauthorized access risks.