CVE-2025-25968

MEDIUM

Ddsn Cm3 Acora Content Management System - Improper Access Control

Title source: rule

Description

DDSN Interactive cm3 Acora CMS version 10.1.1 contains an improper access control vulnerability. An editor-privileged user can access sensitive information, such as system administrator credentials, by force browsing the endpoint and exploiting the 'file' parameter. By referencing specific files (e.g., cm3.xml), attackers can bypass access controls, leading to account takeover and potential privilege escalation.

Exploits (1)

nomisec WRITEUP

by padayali-JD · poc

https://github.com/padayali-JD/CVE-2025-25968

View Code ZIP pw:eip

References (2)

[Product] http://ddsn.com

[Third Party Advisory] https://github.com/padayali-JD/CVE-2025-25968

Scores

CVSS v3 6.0

EPSS 0.0074

EPSS Percentile 73.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-284

Status published

Products (1)

ddsn/cm3_acora_content_management_system 10.1.1

Published Feb 20, 2025

Tracked Since Feb 18, 2026