CVE-2026-25858
Published: 07 February 2026
Summary
CVE-2026-25858 is a critical-severity Weak Password Recovery Mechanism for Forgotten Password (CWE-640) vulnerability in Macrozheng Mall. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and IA-5 (Authenticator Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 mandates protection of authenticator content from unauthorized disclosure and compromise, directly preventing OTP exposure and improper validation in the password reset workflow.
SI-15 requires filtering sensitive information such as OTPs from API responses, blocking unauthenticated attackers from retrieving them using a victim's telephone number.
AC-14 restricts privileged actions like password reset initiation and OTP retrieval to require identification and authentication, eliminating unauthenticated account takeover.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote attackers to exploit a public-facing web application API flaw in the password reset workflow, directly facilitating arbitrary account takeover.
NVD Description
macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time…
more
password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.
Deeper analysisAI
CVE-2026-25858 is an authentication vulnerability (CWE-640) in macrozheng mall version 1.0.3 and prior, specifically within the mall-portal password reset workflow. The flaw stems from the password reset process exposing the one-time password (OTP) directly in the API response and validating reset requests only by comparing the provided OTP against a value stored by telephone number, without any verification of user identity or telephone number ownership. This enables unauthenticated attackers to reset arbitrary user passwords using just a victim's telephone number, which may be known or guessable. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
An unauthenticated attacker with network access can exploit this vulnerability remotely and with low complexity. By obtaining a victim's telephone number, the attacker triggers the password reset flow to retrieve the OTP from the API response, then submits it along with a new password to complete the reset. This results in full account takeover, granting high-impact access to the victim's confidentiality and integrity, such as reading sensitive data or modifying account settings.
Mitigation details are available in related advisories, including the GitHub issue tracker at https://github.com/macrozheng/mall/issues/946, the project website at https://www.macrozheng.com/, and the VulnCheck advisory at https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure.
Details
- CWE(s)