CVE-2025-69240
Published: 16 March 2026
Summary
CVE-2025-69240 is a high-severity Use of Less Trusted Source (CWE-348) vulnerability in Raytha Raytha. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates validation of information inputs like X-Forwarded-Host and Host headers to prevent spoofing that leads to malicious password reset links.
Requires timely flaw remediation, such as patching Raytha CMS to version 1.4.6, to fix the improper header validation vulnerability.
Boundary protection at web interfaces can enforce header validation or stripping of spoofed Host/X-Forwarded-Host values via proxies or WAFs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Header spoofing vuln in public-facing CMS directly enables remote exploitation to hijack password reset tokens and compromise accounts.
NVD Description
Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain. The attacker (who knows the victim's email address) can force the server to send an email with password reset link pointing to the domain from…
more
spoofed header. When victim clicks the link, browser sends request to the attacker’s domain with the token in the path allowing the attacker to capture the token. This allows the attacker to reset victim's password and take over the victim's account. This issue was fixed in version 1.4.6.
Deeper analysisAI
CVE-2025-69240 is a vulnerability in Raytha CMS that enables attackers to spoof the `X-Forwarded-Host` or `Host` headers to an attacker-controlled domain. Published on 2026-03-16, it stems from improper validation of these headers (CWE-348), allowing manipulation of password reset links generated by the server. The issue affects Raytha CMS versions prior to 1.4.6 and carries a CVSS v3.1 score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), highlighting its high severity due to network accessibility, low attack complexity, and significant impacts on confidentiality, integrity, and availability.
An attacker who knows a victim's email address can exploit this by spoofing the headers during a request that triggers a password reset email. The server then sends the victim an email with a reset link pointing to the attacker's domain. Upon clicking the link, the victim's browser issues a request to the attacker's domain, embedding the reset token in the path, which the attacker captures. This grants the attacker the ability to reset the victim's password and fully compromise their account.
The vulnerability was addressed in Raytha CMS version 1.4.6. Additional details are available in advisories from CERT.pl (https://cert.pl/en/posts/2026/03/CVE-2025-69236) and the Raytha website (https://raytha.com). Security practitioners should upgrade to the patched version and review configurations for header validation in similar CMS platforms.
Details
- CWE(s)