CVE CRITICAL January 12, 2026 · 8 min read

CVE-2025-63314: Static Password Reset Token Enables Full Account Takeover in Acora CMS

A static, non-expiring password reset token in DDSN Interactive Acora CMS v10.7.1 allows unauthenticated attackers to hijack any user account via replay attacks. Rated CVSS 10.0 — the maximum possible score.


CVSS 10.0 — CRITICAL
FieldDetail
CVE IDCVE-2025-63314
SeverityCRITICAL (CVSS 3.1: 10.0)
Affected ProductDDSN Interactive Acora CMS v10.7.1
Vulnerability TypeInsecure Password Reset / Token Replay
PublishedJanuary 12, 2026
Authentication RequiredNone

What Is CVE-2025-63314?

CVE-2025-63314 is a critical authentication bypass vulnerability in DDSN Interactive's Acora CMS version 10.7.1. The password reset function generates static, predictable tokens that do not expire and are not invalidated after use. An attacker who obtains a valid reset token — through interception, log exposure, or any other means — can reuse it indefinitely to reset any user's password and take over their account.

This class of vulnerability, known as a token replay attack, is particularly dangerous in CMS platforms because successful account takeover typically grants access to content management capabilities, potentially allowing attackers to inject malicious content, exfiltrate user data, or pivot to backend infrastructure.

Technical Impact

The vulnerability exists because Acora CMS v10.7.1 uses a deterministic algorithm (or a fixed seed) to generate password reset tokens, rather than a cryptographically secure random value. The token is not tied to a session, does not carry a timestamp for expiry validation, and is not invalidated upon successful use.

⚠ Full Account Takeover Impact Chain

1. Attacker obtains a password reset token (from network intercept, server logs, email forwarding misconfiguration, or brute force)
2. Attacker replays the token to the reset endpoint with a new password
3. Victim's password is changed without their knowledge
4. Attacker logs in with new credentials — full account takeover achieved

Why CVSS 10.0?

The maximum CVSS score reflects: no authentication required (AV:N/AC:L/PR:N/UI:N), complete confidentiality, integrity, and availability impact (C:H/I:H/A:H), and no scope limitation. An internet-exposed Acora CMS instance with this vulnerability is fully compromisable by any unauthenticated attacker.

Affected Versions

Detection Methods

Manual Testing

# 1. Request a password reset for any account
POST /forgot-password HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

email=user@example.com

# 2. Capture the reset token from the email link
# 3. Attempt to reuse the same token after password reset
# 4. If the token is still accepted — vulnerable

# Check token entropy:
# Static/low-entropy tokens will show patterns across multiple resets

Log Analysis

Review your web server access logs for repeated requests to the password reset endpoint with the same token value. Any token appearing more than once indicates a replay attempt or static token vulnerability.

🔍 KENSAI Detection: KENSAI's authentication testing module automatically tests password reset flows for token reuse, static token patterns, missing expiry, and replay attack vectors. CVE-2025-63314 is covered under the Insecure Password Reset check category.

Mitigation Steps

  1. Upgrade immediately: Contact DDSN Interactive for the patched version of Acora CMS that addresses CVE-2025-63314.
  2. Token rotation: Ensure password reset tokens are generated using a CSPRNG (cryptographically secure pseudo-random number generator) with at least 128 bits of entropy.
  3. Token expiry: Reset tokens must expire within 15–60 minutes of generation.
  4. Single-use enforcement: Invalidate the token immediately upon successful use or upon any subsequent reset request for the same account.
  5. Rate limiting: Apply strict rate limiting to the password reset endpoint to prevent brute-force enumeration of tokens.
  6. Monitor for replay attempts: Alert on multiple uses of the same reset token.

KENSAI Detection Capability

KENSAI automatically detects CVE-2025-63314 and similar token replay vulnerabilities through its Authentication Security Assessment module. Our scanner:

Is Your CMS Exposed?

KENSAI scans your web applications for CVE-2025-63314 and hundreds of other critical vulnerabilities. Identify your attack surface before attackers do.

Start Free Security Scan

Published by the KENSAI Security Research Team · More CVE Analysis

Related Articles

EU-Parlament vereinfacht KI-Gesetz, stoppt CSAM-Scanning, NIS2-Lücken, DORA-Bank EU Chips Act Implementation Dialogue, Dell & HP Ship Quantum-Resistant Security, Redirecting...