CVE-2025-69614

Critical

Published: 10 March 2026

Published

10 March 2026

Modified

07 May 2026

KEV Added

—

Patch

—

CVSS Score 9.4 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0002 5.9th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-69614 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Telekom Account Management Portal. Its CVSS base score is 9.4 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-5 (Authenticator Management).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 directly manages authenticators including password reset activation tokens to prevent reuse through single-use enforcement, expiration, and secure handling procedures.

AC-3 Access Enforcement good match

prevent

AC-3 enforces approved access authorizations that require validation of unique, non-reused activation tokens prior to allowing password resets.

AC-2 Account Management partial match

prevent

AC-2 establishes account management processes including secure password recovery mechanisms to mitigate unauthorized resets and account takeovers.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

Why these techniques?

Direct exploitation of public-facing password reset endpoint (T1190) enables unauthorized account credential changes/takeover (T1098).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Access Control via activation token reuse on the password-reset endpoint allowing unauthorized password resets and full account takeover. Affected Product: Deutsche Telekom AG Telekom Account Management Portal, versions before 2025-10-27, fixed 2025-10-31.

Deeper analysisAI

CVE-2025-69614 is an incorrect access control vulnerability stemming from activation token reuse on the password-reset endpoint of the Deutsche Telekom AG Telekom Account Management Portal. This flaw enables unauthorized password resets and full account takeover. It affects versions of the portal prior to 2025-10-27 and was assigned a CVSS v3.1 base score of 9.4 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L), with CWE-640: Weak Password Recovery Mechanism for Forgotten Password.

Remote attackers require no privileges, authentication, or user interaction to exploit the vulnerability over the network with low complexity. By reusing activation tokens, they can perform unauthorized password resets, achieving full account takeover. This results in high impacts to confidentiality and integrity, with low impact to availability.

The vulnerability was addressed in a fix released on 2025-10-31. For detailed mitigation guidance and patch deployment, refer to vendor advisories including https://www.telekom.com/en/company/data-privacy-and-security/news/acknowledgements-358300#R and https://gist.github.com/ethicalrohitt/b3e6d071aac8530459e8b3a5720bb832. The CVE was published on 2026-03-10.