CVE-2025-63314: Static Password Reset Token Enables Full Account Takeover in Acora CMS
A static, non-expiring password reset token in DDSN Interactive Acora CMS v10.7.1 allows unauthenticated attackers to hijack any user account via replay attacks. Rated CVSS 10.0 — the maximum possible score.
| Field | Detail |
|---|---|
| CVE ID | CVE-2025-63314 |
| Severity | CRITICAL (CVSS 3.1: 10.0) |
| Affected Product | DDSN Interactive Acora CMS v10.7.1 |
| Vulnerability Type | Insecure Password Reset / Token Replay |
| Published | January 12, 2026 |
| Authentication Required | None |
What Is CVE-2025-63314?
CVE-2025-63314 is a critical authentication bypass vulnerability in DDSN Interactive's Acora CMS version 10.7.1. The password reset function generates static, predictable tokens that do not expire and are not invalidated after use. An attacker who obtains a valid reset token — through interception, log exposure, or any other means — can reuse it indefinitely to reset any user's password and take over their account.
This class of vulnerability, known as a token replay attack, is particularly dangerous in CMS platforms because successful account takeover typically grants access to content management capabilities, potentially allowing attackers to inject malicious content, exfiltrate user data, or pivot to backend infrastructure.
Technical Impact
The vulnerability exists because Acora CMS v10.7.1 uses a deterministic algorithm (or a fixed seed) to generate password reset tokens, rather than a cryptographically secure random value. The token is not tied to a session, does not carry a timestamp for expiry validation, and is not invalidated upon successful use.
⚠ Full Account Takeover Impact Chain
1. Attacker obtains a password reset token (from network intercept, server logs, email forwarding misconfiguration, or brute force)
2. Attacker replays the token to the reset endpoint with a new password
3. Victim's password is changed without their knowledge
4. Attacker logs in with new credentials — full account takeover achieved
Why CVSS 10.0?
The maximum CVSS score reflects: no authentication required (AV:N/AC:L/PR:N/UI:N), complete confidentiality, integrity, and availability impact (C:H/I:H/A:H), and no scope limitation. An internet-exposed Acora CMS instance with this vulnerability is fully compromisable by any unauthenticated attacker.
Affected Versions
- Confirmed vulnerable: DDSN Interactive Acora CMS v10.7.1
- Earlier versions: May be affected — audit your installation
- Fixed version: Apply vendor patch or upgrade — contact DDSN Interactive
Detection Methods
Manual Testing
# 1. Request a password reset for any account POST /forgot-password HTTP/1.1 Host: target.com Content-Type: application/x-www-form-urlencoded email=user@example.com # 2. Capture the reset token from the email link # 3. Attempt to reuse the same token after password reset # 4. If the token is still accepted — vulnerable # Check token entropy: # Static/low-entropy tokens will show patterns across multiple resets
Log Analysis
Review your web server access logs for repeated requests to the password reset endpoint with the same token value. Any token appearing more than once indicates a replay attempt or static token vulnerability.
🔍 KENSAI Detection: KENSAI's authentication testing module automatically tests password reset flows for token reuse, static token patterns, missing expiry, and replay attack vectors. CVE-2025-63314 is covered under the Insecure Password Reset check category.
Mitigation Steps
- Upgrade immediately: Contact DDSN Interactive for the patched version of Acora CMS that addresses CVE-2025-63314.
- Token rotation: Ensure password reset tokens are generated using a CSPRNG (cryptographically secure pseudo-random number generator) with at least 128 bits of entropy.
- Token expiry: Reset tokens must expire within 15–60 minutes of generation.
- Single-use enforcement: Invalidate the token immediately upon successful use or upon any subsequent reset request for the same account.
- Rate limiting: Apply strict rate limiting to the password reset endpoint to prevent brute-force enumeration of tokens.
- Monitor for replay attempts: Alert on multiple uses of the same reset token.
KENSAI Detection Capability
KENSAI automatically detects CVE-2025-63314 and similar token replay vulnerabilities through its Authentication Security Assessment module. Our scanner:
- Tests password reset flows for token entropy and predictability
- Verifies token expiry enforcement
- Confirms tokens are invalidated after use
- Checks for rate limiting on reset endpoints
- Maps findings to OWASP Top 10 A07:2021 (Identification and Authentication Failures)
Is Your CMS Exposed?
KENSAI scans your web applications for CVE-2025-63314 and hundreds of other critical vulnerabilities. Identify your attack surface before attackers do.
Start Free Security ScanPublished by the KENSAI Security Research Team · More CVE Analysis