Cyber Resilience

CVE-2025-63314

Critical

Published: 12 January 2026

Published
12 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0029 20.8th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-63314 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Ddsn Cm3 Acora Cms. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-63314 affects DDSN Interactive Acora CMS version 10.7.1, specifically in the password reset function, which uses a static password reset token. This design flaw enables attackers to conduct a replay attack, allowing arbitrary password resets for users. The vulnerability is classified under CWE-640 and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L), reflecting its critical severity due to network accessibility, low attack complexity, lack of required privileges or user interaction, and impact across confidentiality, integrity, and availability with scope expansion.

Any remote attacker can exploit this vulnerability without authentication by capturing and replaying the static token during the password reset process, leading to full account takeover of targeted users. Successful exploitation grants complete control over the compromised account, potentially enabling further unauthorized access, data exfiltration, or privilege escalation within the CMS environment.

Mitigation guidance and additional details are provided in vendor resources at http://acora.com and http://ddsn.com, along with a dedicated GitHub repository at https://github.com/padayali-JD/CVE-2025-63314.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Static token replay in public-facing CMS password reset directly enables remote unauthenticated exploitation of the web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-29199Shared CWE-640
CVE-2025-22964Same vendor: Ddsn
CVE-2022-50910Shared CWE-640
CVE-2026-42606Shared CWE-640
CVE-2026-25858Shared CWE-640
CVE-2026-40585Shared CWE-640
CVE-2026-1325Shared CWE-640
CVE-2020-37172Shared CWE-640
CVE-2025-25967Same vendor: Ddsn
CVE-2024-11350Shared CWE-640

Affected Assets

ddsn
cm3 acora cms
10.7.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 requires secure management of authenticators like password reset tokens, ensuring they are dynamic, single-use, and time-limited to directly prevent replay attacks.

prevent

SI-2 mandates timely identification, reporting, and correction of critical flaws such as the static password reset token in Acora CMS v10.7.1.

prevent

AC-2 enforces account management processes including approval, monitoring, and notification of password changes to mitigate unauthorized account takeovers via reset.

References