CVE-2026-32865
Published: 19 March 2026
Summary
CVE-2026-32865 is a critical-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Opexustech Ecase Ecomplaint. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires protecting authenticator content from unauthorized disclosure and establishing secure procedures for authenticator replacement during password resets, directly preventing exposure of the secret verification code.
Mandates timely flaw remediation including patching the specific vulnerability in the ForcePasswordReset.aspx endpoint to eliminate the secret code exposure.
Establishes procedures for secure account modification, including password resets, to ensure only authorized changes occur without leaking verification codes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable flaw in a public-facing web application's password reset endpoint (ForcePasswordReset.aspx) that leaks a secret verification code, directly enabling T1190 (Exploit Public-Facing Application) by any unauthenticated remote attacker. Successful exploitation results in unauthorized password reset and full account takeover, directly facilitating T1078 (Valid Accounts) without requiring prior credentials or interaction.
NVD Description
OPEXUS eComplaint and eCASE before version 10.1.0.0 include the secret verification code in the HTTP response when requesting a password reset via 'ForcePasswordReset.aspx'. An attacker who knows an existing user's email address can reset the user's password and security questions.…
more
Existing security questions are not asked during the process.
Deeper analysisAI
CVE-2026-32865 is a critical vulnerability in OPEXUS eComplaint and eCASE software versions prior to 10.1.0.0. It stems from the inclusion of a secret verification code in the HTTP response when a password reset is requested via the 'ForcePasswordReset.aspx' endpoint. This exposure, linked to CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and CWE-640 (Weak Password Recovery Mechanism for Forgotten Identity), earned a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-19.
The vulnerability enables remote exploitation by any unauthenticated attacker who knows a target user's existing email address, requiring no privileges, user interaction, or special conditions. By initiating a password reset request, the attacker receives the secret code directly, allowing them to complete the process, reset the user's password, and overwrite security questions without verifying the existing ones. Successful exploitation leads to full account takeover with high impacts on confidentiality, integrity, and availability.
Advisories recommend upgrading to OPEXUS eComplaint and eCASE version 10.1.0.0 or later to mitigate the issue. Key references include the CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-077-01.json and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2026-32865.
Details
- CWE(s)