External risk intelligence

Attacker can take over OpenAEV accounts with no access needed

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-24467

An external attacker can exploit the OpenAEV password reset feature to hijack user accounts, including administrator access. This allows them to steal sensitive simulation data and seize full control over the platform and connected systems.

3Halo Surface Signal

Filigran Openaev

1.0.0 to before 2.0.13

External exposure likelihood

Halo Surface Signal score for CVE-2026-24467

OpenAEV is a web-based cyber adversary simulation platform. While it functions as a network-accessible application, it is typically deployed as an internal security or administrative tool rather than a service intended for public-internet exposure. While remote access is plausible depending on organizational needs, it is not commonly public-facing by design.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in OpenAEV allows an unauthenticated attacker to take over any user account. The issue stems from password reset tokens that do not expire and are only 8 digits long, enabling attackers to guess valid tokens and reset user passwords. This can lead to a complete compromise of the platform.

Account takeover via password reset.
Affects any registered user account.
Attack is remote and unauthenticated.

Attack Path

How an attacker could exploit the issue

An attacker can achieve account takeover by exploiting OpenAEV's flawed password reset mechanism. They can repeatedly generate password reset tokens, which never expire, and then brute-force these tokens to gain access to any user account, including administrative ones. This attack requires no prior authentication and can be scaled to compromise multiple accounts by obtaining or guessing registered email addresses.

Unauthenticated remote access is required.
Vulnerable password reset functionality.
Tokens do not expire.
Predictable token format.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to take over any user account by resetting passwords, even administrator accounts. The flaws, specifically non-expiring and short password reset tokens, make exploitation reliably scalable. Attackers would favor this for its potential to gain full control of a sensitive security testing platform.

Exploitable remotely without authentication.
Reliable account takeover method.
Public exploit code not yet observed.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize the immediate containment and remediation of OpenAEV instances due to a critical vulnerability allowing unauthenticated account takeover. Focus on identifying all deployed instances, assessing their exposure, and applying the patch to prevent further compromise.

Patch OpenAEV to version 2.0.13 or later.
Isolate affected OpenAEV services if patching is delayed.
Monitor for signs of unauthorized password resets.

Frequently asked questions

What is OpenAEV and its primary function?

OpenAEV is an open-source platform for planning, scheduling, and conducting cyber adversary simulation campaigns and tests. It assists security teams in organizing exercises that combine technical actions with operational and human response elements to test and validate defenses against realistic attack scenarios [2, 6, 11].

What is the core weakness in OpenAEV's password reset feature?

The vulnerability (CWE-640) lies in OpenAEV's password reset mechanism. Password reset tokens do not expire and are only 8 digits long. This allows an attacker to accumulate valid tokens over time and brute-force them to reset any user's password, leading to account takeover [4, 5, 12].

How can an attacker exploit OpenAEV's password reset flaw?

An unauthenticated attacker can repeatedly generate password reset tokens, which remain valid indefinitely. By brute-forcing these 8-digit tokens, they can gain access to any user account, including administrative ones, without needing prior authentication [5, 7, 12].

What is the impact of the OpenAEV vulnerability on security operations?

Successful exploitation allows an unauthenticated remote attacker to reset any registered user's password, leading to complete platform compromise. This could include accessing sensitive simulation data or modifying agent payloads to compromise hosts where agents are installed [5, 7, 9, 12].

How can organizations remediate the OpenAEV password reset vulnerability?

The critical vulnerability is addressed by updating OpenAEV to version 2.0.13 or later. If immediate patching is not possible, affected OpenAEV services should be isolated, and monitoring for unauthorized password resets should be intensified [4, 12].

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.