A critical vulnerability has been identified in DDSN Interactive Acora CMS, which allows an attacker to easily take over any user account. The flaw stems from a predictable (static) password reset token, enabling unauthorized individuals to reset any user's password, including administrators, and gain complete control of the system. This presents a severe risk of data breach, website defacement, and further system compromise.

The password reset mechanism in the affected software utilizes a static, predictable token. An attacker can initiate a password reset request for a target user account and then submit a password change request using this known static token. Because the token does not change and is not unique to the user or session, the system validates the request, allowing the attacker to set a new password for the account and achieve a full account takeover.

This vulnerability is rated as critical severity with a CVSS score of 10.0. Successful exploitation grants an attacker complete control over any user account, including those with administrative privileges. The potential consequences include unauthorized access to and exfiltration of sensitive data stored within the CMS, website defacement, distribution of malware through the compromised site, and using the server as a pivot point for further attacks on the internal network. This can lead to severe reputational damage, financial loss, and potential regulatory fines.

Immediate Action: Immediately apply the security update provided by the vendor to patch the vulnerability. Organizations should upgrade all instances of DDSN Interactive Acora CMS to the latest secure version. After patching, it is crucial to review access logs for any signs of suspicious activity or unauthorized account access.

Proactive Monitoring: Security teams should actively monitor for indicators of compromise. This includes looking for an unusual volume of password reset requests originating from a single IP address or targeting multiple accounts sequentially. Additionally, review audit logs for unexpected password changes, logins from unfamiliar locations, or unauthorized content modifications.

Compensating Controls: If immediate patching is not feasible, consider implementing temporary mitigating controls. These may include disabling the self-service password reset feature, restricting access to the administrative interface to trusted IP addresses only, and enforcing mandatory multi-factor authentication (MFA) for all users, especially administrators, as this may prevent a takeover even if a password is reset.

Public Exploit Available: false

Given the critical CVSS score of 10.0, this vulnerability represents a direct and immediate threat to the confidentiality, integrity, and availability of the affected system. We strongly recommend that all organizations using DDSN Interactive Acora CMS treat this as a top-priority security issue and apply the vendor-supplied patches without delay. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion and an attractive target for attackers. Immediate remediation is essential to prevent a full system compromise.