External risk intelligence

DDSN Acora CMS Password Reset Token Vulnerability Allows Account Takeover

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2025-63314

The vulnerability exists in a content management system (CMS), which is a product typically deployed as an internet-facing web application to serve public or authenticated content, making its password reset and account management functions commonly accessible over the internet.

Ddsn Cm3 Acora Cms

10.7.1

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the password reset function of DDSN Interactive Acora CMS, specifically related to static tokens. This issue could allow unauthorized individuals to reset user passwords and gain full account control through a replay attack. The main concern is confirming whether our systems utilize this technology and if they are exposed.

  • Static password tokens enable account takeover.
  • Confirms relevance and exposure of affected systems.
  • Assess if this technology is in use.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending a crafted request to the password reset function of the affected content management system. Since the system uses a static token for password resets, an attacker could intercept or guess this token and then use it to reset any user's password, ultimately leading to a full account takeover.

  • No authentication or special access is required.
  • An attacker triggers the vulnerability via replay attack.
  • Leads to full account takeover and arbitrary code execution.

Live Threat

Current exploitation, exposure, and threat context

A static password reset token in Acora CMS allows attackers to take over user accounts through a replay attack. This could affect user accounts and potentially any data associated with them when the password reset function is accessible.

  • User accounts and associated data.
  • Via replay of static reset tokens.
  • Complete account takeover possible.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in DDSN Interactive Acora CMS affects account takeover capabilities via a static password reset token, making it critical for teams managing public-facing web applications. The first step is to identify all instances of the affected CMS, determine their reachability and business criticality, and locate the accountable owner. Planning remediation should then prioritize based on the identified risk.

  • Own the vulnerability triage and remediation.
  • Verify CMS instances and exposure.
  • Plan vendor coordination and patching.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is DDSN Acora CMS?

DDSN Interactive Acora CMS is a content management system designed for managing digital content and web presence. Organizations use it to serve web pages and handle user interactions, often requiring features like password management to allow users or administrators to securely update their account access.

What does CWE-640 mean for CVE-2025-63314?

This vulnerability is classified as CWE-640, which refers to a failure to use a one-time, cryptographically secure password reset token. Instead of generating a unique, temporary key for each request, the system uses a static token. Because this token does not expire or change, an attacker can capture it and reuse it to reset passwords for any account.

How is this replay attack triggered?

An attacker triggers this by submitting a specially crafted request to the password reset function of the CMS. Because the token is static, it remains valid regardless of when it was originally issued. Note that this attack does not require the attacker to have existing authentication or special permissions to the system; they simply need to be able to interact with the password reset process.

Is my system at risk according to Halo Surface Signal?

According to Halo Surface Signal, this vulnerability is highly relevant if your instance of Acora CMS is internet-facing. Because content management systems are typically hosted to serve public web traffic, the password reset function is often exposed to the network. If your CMS is reachable from the internet, the potential for unauthorized account takeover is significantly higher.

What steps should I take if I use this software?

First, conduct an audit to locate all running instances of Acora CMS within your environment and identify the teams responsible for them. Prioritize these systems based on their accessibility and the sensitivity of the data they hold. Coordinate with your IT or security team to review official guidance from DDSN and plan for necessary updates to secure your password management processes.

References