Cyber Resilience

CVE-2026-25753

Critical

Published: 06 February 2026

Published
06 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0036 27.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25753 is a critical-severity Use of Hard-coded Password (CWE-259) vulnerability in Prasklatechnology Placipy. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 27.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-5 (Authenticator Management).

Deeper analysis

CVE-2026-25753 is a critical vulnerability in PlaciPy version 1.0.0, a placement management system designed for educational institutions. The flaw stems from the use of a hard-coded, static default password for all newly created student accounts, enabling mass account takeover once the password is known. It is classified under CWE-259 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting its high severity due to network accessibility, low complexity, and lack of prerequisites.

Any unauthenticated attacker with network access can exploit this vulnerability by obtaining the static default password and using it to log in as any student account. Exploitation requires no privileges or user interaction, resulting in full compromise of affected accounts across the system. This allows attackers to achieve high impacts on confidentiality, integrity, and availability, potentially exposing sensitive student data and enabling unauthorized actions within the placement management platform.

The GitHub security advisory (GHSA-6537-cf56-j9w2) at https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2 documents the issue and should be consulted for mitigation guidance, including any available patches or workarounds.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as…

more

any student once the password is known.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hard-coded static default password for all new accounts directly enables use of default/valid accounts for unauthenticated login and account takeover (T1078.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25809Same product: Prasklatechnology Placipy
CVE-2026-25876Same product: Prasklatechnology Placipy
CVE-2026-25812Same product: Prasklatechnology Placipy
CVE-2026-25810Same product: Prasklatechnology Placipy
CVE-2026-25813Same product: Prasklatechnology Placipy
CVE-2026-25811Same product: Prasklatechnology Placipy
CVE-2026-25875Same product: Prasklatechnology Placipy
CVE-2026-25814Same product: Prasklatechnology Placipy
CVE-2025-2343Shared CWE-259
CVE-2025-70798Shared CWE-259

Affected Assets

prasklatechnology
placipy
1.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 explicitly requires changing default authenticators prior to first use and secure management of passwords, directly preventing exploitation of the hard-coded static default password for all student accounts.

prevent

AC-2 mandates procedures for account management that prohibit shared or default credentials, ensuring student accounts require unique passwords upon creation to block mass takeovers.

prevent

CM-6 requires secure baseline configuration settings, mitigating the insecure hard-coded password by enforcing verified configurations without defaults.

References