CVE-2025-63314

CRITICAL

DDSN Interactive Acora CMS <10.7.1 - Code Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-63314. PoCs published by padayali-JD.

AI-analyzed exploit summary This repository contains a writeup detailing CVE-2025-63314, an improper password reset token handling vulnerability in Acora CMS version 10.7.1. The flaw allows indefinite reuse of static reset tokens, leading to account takeover.

Description

A static password reset token in the password reset function of DDSN Interactive Acora CMS v10.7.1 allows attackers to arbitrarily reset the user password and execute a full account takeover via a replay attack.

Exploits (1)

nomisec WRITEUP

by padayali-JD · poc

https://github.com/padayali-JD/CVE-2025-63314

View Code ZIP pw:eip

This repository contains a writeup detailing CVE-2025-63314, an improper password reset token handling vulnerability in Acora CMS version 10.7.1. The flaw allows indefinite reuse of static reset tokens, leading to account takeover.

Classification

Writeup 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: cm3 Acora CMS version 10.7.1

No auth needed

Prerequisites: obtaining a valid password reset token

MITRE ATT&CK

T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Not Applicable

http://acora.com

Product

http://ddsn.com

Third Party Advisory

https://github.com/padayali-JD/CVE-2025-63314

Scores

CVSS v3 10.0

EPSS 0.0029

EPSS Percentile 20.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-640

Status published

Products (1)

ddsn/cm3_acora_cms 10.7.1

Published Jan 12, 2026

Tracked Since Feb 18, 2026