Cyber Posture

CVE-2025-63314

Critical

Published: 12 January 2026

Published
12 January 2026
Modified
22 January 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L
EPSS Score 0.0006 17.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63314 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Ddsn Cm3 Acora Cms. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 requires secure management of authenticators like password reset tokens, ensuring they are dynamic, single-use, and time-limited to directly prevent replay attacks.

SI-2 Flaw Remediation good match
prevent

SI-2 mandates timely identification, reporting, and correction of critical flaws such as the static password reset token in Acora CMS v10.7.1.

AC-2 Account Management partial match
prevent

AC-2 enforces account management processes including approval, monitoring, and notification of password changes to mitigate unauthorized account takeovers via reset.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Static token replay in public-facing CMS password reset directly enables remote unauthenticated exploitation of the web application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.

Deeper analysisAI

CVE-2025-63314 affects DDSN Interactive Acora CMS version 10.7.1, specifically in the password reset function, which uses a static password reset token. This design flaw enables attackers to conduct a replay attack, allowing arbitrary password resets for users. The vulnerability is classified under CWE-640 and carries a maximum CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L), reflecting its critical severity due to network accessibility, low attack complexity, lack of required privileges or user interaction, and impact across confidentiality, integrity, and availability with scope expansion.

Any remote attacker can exploit this vulnerability without authentication by capturing and replaying the static token during the password reset process, leading to full account takeover of targeted users. Successful exploitation grants complete control over the compromised account, potentially enabling further unauthorized access, data exfiltration, or privilege escalation within the CMS environment.

Mitigation guidance and additional details are provided in vendor resources at http://acora.com and http://ddsn.com, along with a dedicated GitHub repository at https://github.com/padayali-JD/CVE-2025-63314.

Details

CWE(s)
CWE-640

Affected Products

ddsn
cm3 acora cms
10.7.1

CVEs Like This One

CVE-2025-22964Same vendor: Ddsn
CVE-2026-1325Shared CWE-640
CVE-2026-40585Shared CWE-640
CVE-2022-50910Shared CWE-640
CVE-2026-29199Shared CWE-640
CVE-2026-25858Shared CWE-640
CVE-2020-37172Shared CWE-640
CVE-2025-25967Same vendor: Ddsn
CVE-2025-4320Shared CWE-640
CVE-2025-69614Shared CWE-640

References