CVE-2025-67418
Published: 22 December 2025
Summary
CVE-2025-67418 is a critical-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Oxygenz Clipbucket. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and CM-6 (Configuration Settings).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates management of authenticators to prohibit hardcoded or default credentials, directly preventing unauthorized administrative access via known defaults.
AC-2 requires proper account management including disabling or securing default administrative accounts, mitigating exploitation of shipped hardcoded credentials.
CM-6 enforces secure configuration settings by requiring changes to vendor default passwords and credentials, addressing the shipped improper access control.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded default admin credentials in a public-facing web application (ClipBucket) enable exploitation of public-facing applications (T1190) and use of default accounts (T1078.001) for unauthorized remote administrative access.
NVD Description
ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full…
more
administrative control of the application.
Deeper analysisAI
CVE-2025-67418 is an improper access control vulnerability in ClipBucket 5.5.2, stemming from hardcoded default administrative credentials shipped or deployed with the product. This issue, published on 2025-12-22T20:15:45.303, carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-798 (Use of Hard-coded Credentials), enabling unauthorized access to the application's administrative functions.
An unauthenticated remote attacker can exploit this vulnerability by logging into the administrative panel using the default credentials, resulting in full administrative control of the ClipBucket application. No privileges, user interaction, or special conditions are required, making it highly accessible over the network with low complexity.
Mitigation guidance is available in advisories referenced at http://clipbucket.com and the detailed analysis at https://medium.com/@arpit03sharma2003/cve-2025-67418-when-default-credentials-become-a-remote-root-button-03be5ee4b927.
Details
- CWE(s)