CVE-2025-63314
Published: 12 January 2026
Summary
CVE-2025-63314 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Ddsn Cm3 Acora Cms. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-63314 affects DDSN Interactive Acora CMS version 10.7.1, specifically in the password reset function, which uses a static password reset token. This design flaw enables attackers to conduct a replay attack, allowing arbitrary password resets for users. The vulnerability is classified under CWE-640 and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L), reflecting its critical severity due to network accessibility, low attack complexity, lack of required privileges or user interaction, and impact across confidentiality, integrity, and availability with scope expansion.
Any remote attacker can exploit this vulnerability without authentication by capturing and replaying the static token during the password reset process, leading to full account takeover of targeted users. Successful exploitation grants complete control over the compromised account, potentially enabling further unauthorized access, data exfiltration, or privilege escalation within the CMS environment.
Mitigation guidance and additional details are provided in vendor resources at http://acora.com and http://ddsn.com, along with a dedicated GitHub repository at https://github.com/padayali-JD/CVE-2025-63314.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-1916
Vulnerability details
A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Static token replay in public-facing CMS password reset directly enables remote unauthenticated exploitation of the web application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
IA-5 requires secure management of authenticators like password reset tokens, ensuring they are dynamic, single-use, and time-limited to directly prevent replay attacks.
SI-2 mandates timely identification, reporting, and correction of critical flaws such as the static password reset token in Acora CMS v10.7.1.
AC-2 enforces account management processes including approval, monitoring, and notification of password changes to mitigate unauthorized account takeovers via reset.