CVE-2017-7615

HIGH NUCLEI

MantisBT < 2.3.0 - Unauthenticated Arbitrary Password Reset via Empty Confirm Hash

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2017-7615. PoCs published by hyp3rlinx, John (hyp3rlinx) Page, Julien (jvoisin) Voisin, including Metasploit module auxiliary/admin/http/mantisbt_password_reset. A Nuclei detection template is also available.

AI-analyzed exploit summary This exploit leverages a pre-authentication password reset vulnerability in Mantis Bug Tracker by bypassing the confirm_hash check in verify.php, allowing an attacker to reset any user's password by supplying an empty confirm_hash value.

Description

MantisBT through 2.3.0 allows arbitrary password reset and unauthenticated admin access via an empty confirm_hash value to verify.php.

Exploits (3)

exploitdb WORKING POC VERIFIED
by hyp3rlinx · textwebappsphp
https://www.exploit-db.com/exploits/41890

This exploit leverages a pre-authentication password reset vulnerability in Mantis Bug Tracker by bypassing the confirm_hash check in verify.php, allowing an attacker to reset any user's password by supplying an empty confirm_hash value.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Mantis Bug Tracker v1.3.0 - 2.3.0
No auth needed
Prerequisites: Target IP, username, user ID, and new password
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →
exploitdb WORKING POC
pythonwebappsphp
https://www.exploit-db.com/exploits/48818

This exploit chains CVE-2017-7615 (password reset) and CVE-2019-15715 (command injection) to achieve unauthenticated RCE in Mantis Bug Tracker. It resets the admin password, logs in, configures malicious settings, and triggers a reverse shell.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Mantis Bug Tracker 1.3.0/2.3.0
No auth needed
Prerequisites: Network access to the target · Mantis Bug Tracker version 1.3.0 or 2.3.0
devstral-2 · analyzed Feb 19, 2026 Full analysis →
metasploit WORKING POC
by John (hyp3rlinx) Page, Julien (jvoisin) Voisin · rubypoc
https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/http/mantisbt_password_reset.rb

This Metasploit module exploits an unauthenticated password reset vulnerability in MantisBT versions before 1.3.10, 2.2.4, and 2.3.1. It allows an attacker to reset the password of any user by manipulating the verification process and setting a new password.

Classification
Working Poc 100%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: MantisBT before 1.3.10, 2.2.4, and 2.3.1
No auth needed
Prerequisites: Network access to the target MantisBT instance · Valid user ID to reset
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

MantisBT <=2.30 - Arbitrary Password Reset/Admin Access
HIGHby bp0lr,dwisiswant0
Shodan: http.favicon.hash:662709064 || cpe:"cpe:2.3:a:mantisbt:mantisbt"
FOFA: icon_hash=662709064

References (6)

Core 6
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/97707
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://mantisbt.org/bugs/view.php?id=22690
Mailing List, Third Party Advisory x_refsource_misc
http://www.openwall.com/lists/oss-security/2017/04/16/2
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/41890/

Scores

CVSS v3 8.8
EPSS 0.9245
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-640
Status published
Products (2)
mantisbt/mantisbt < 2.3.0
mantisbt/mantisbt 1.3.0-rc.2 - 1.3.10Packagist
Published Apr 16, 2017
Tracked Since Feb 18, 2026