CVE-2025-63747

CriticalPublic PoC

Published: 17 November 2025

Published

17 November 2025

Modified

26 November 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0008 23.9th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-63747 is a critical-severity Weak Password Requirements (CWE-521) vulnerability in Testmanagement Qatraq. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 23.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Default Accounts (T1078.001) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 requires changing default authenticators prior to first use, directly preventing exploitation of the shipped default administrative credentials in QaTraq 6.9.2.

AC-2 Account Management good match

prevent

AC-2 mandates management of accounts including disabling unnecessary or default accounts, mitigating the enabled default admin account that grants immediate administrative access.

CM-6 Configuration Settings good match

prevent

CM-6 enforces secure configuration settings such as disabling default credentials in web applications like QaTraq, preventing unauthenticated attackers from logging in with known defaults.

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Default admin credentials (admin:admin) enable use of valid default accounts (T1078.001). Unrestricted authenticated file upload facilitates exploitation of a public-facing web application for RCE via web shell deployment (T1190).

NVD Description

QaTraq 6.9.2 ships with administrative account credentials which are enabled in default installations and permit immediate login via the web application login page. Because the account provides administrative privileges in the default configuration, an attacker who can reach the login…

page can gain administrative access.

Deeper analysisAI

CVE-2025-63747 is a critical vulnerability in QaTraq 6.9.2, a web application, stemming from default administrative account credentials that are enabled in standard installations. These credentials allow immediate login through the web application's login page, providing full administrative privileges due to the default configuration. The issue is classified under CWE-521 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), highlighting its severity.

The vulnerability can be exploited by any unauthenticated attacker with network access to the login page, requiring no privileges, user interaction, or special conditions. Upon login with the default credentials, the attacker gains administrative access to the application, enabling potential compromise of confidentiality, integrity, and availability.

Advisories and further details are available from the vendor at http://qatraq.com and an independent analysis at https://bitsbyamg.com/blog/post/2025/10/19/qatraq-692-default-creds-and-file-upload-rce, which security practitioners should review for recommended mitigations and patches.