CVE-2025-69614
Deutsche Telekom AG · Telekom Account Management Portal
An activation token reuse vulnerability in the password-reset endpoint of the Telekom Account Management Portal allows unauthorized password resets and full account takeover.
Executive summary
A critical vulnerability in the Telekom Account Management Portal allows unauthenticated attackers to perform unauthorized password resets, resulting in total account takeover.
Vulnerability
This vulnerability involves the improper handling of activation tokens within the password-reset workflow. By reusing valid tokens, an attacker can bypass standard security checks to reset passwords for arbitrary accounts without user interaction.
Business impact
The ability to perform unauthorized password resets leads to total account takeover, enabling attackers to hijack user sessions, exfiltrate private data, and perform administrative actions. With a CVSS score of 9.4, this vulnerability is critical and places the entire user base at high risk of account compromise.
Remediation
Immediate Action: Apply the vendor-provided update released on 2025-10-31 to enforce proper token invalidation.
Proactive Monitoring: Monitor password-reset request logs for spikes in activity or suspicious patterns of token usage that deviate from established baselines.
Compensating Controls: Deploy WAF rules designed to identify and block repeated attempts to access password-reset endpoints with identical or malformed tokens.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
This vulnerability provides an trivial path for attackers to gain full control over user accounts. Immediate patching is required to prevent large-scale account takeover events and maintain the security posture of the portal.