CVE-2015-8267 – This vulnerability in Dovestones AD Self Passwo... (How to Fix)

Q: What is the severity of CVE-2015-8267?

CVE-2015-8267 has a CVSS score of 10.0 (CRITICAL). This vulnerability in Dovestones AD Self Password Reset allows remote attackers to reset any user's password without authorization by sending a crafted request with a valid username. It affects organizations using this software for Active Directory password self-service before version 3.0.4.0.

📋 TL;DR

This vulnerability in Dovestones AD Self Password Reset allows remote attackers to reset any user's password without authorization by sending a crafted request with a valid username. It affects organizations using this software for Active Directory password self-service before version 3.0.4.0.

💻 Affected Systems

Products:

Dovestones AD Self Password Reset

Versions: All versions before 3.0.4.0

Operating Systems: Windows (Active Directory environment)

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the PasswordReset.dll component specifically in the ChangePasswordIndex method. Requires the software to be installed and configured for Active Directory password resets.

📦 What is this software?

Ad Self Password Reset by Dovestones

View all CVEs affecting Ad Self Password Reset →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete Active Directory compromise where attackers reset domain admin passwords, gain persistent access, and potentially deploy ransomware or exfiltrate sensitive data.

🟠

Likely Case

Attackers reset passwords for regular user accounts to gain unauthorized access to systems, applications, and data, leading to data theft or lateral movement.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and quick detection of unauthorized password reset attempts.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable without authentication, making internet-facing instances extremely vulnerable.

🏢 Internal Only: HIGH - Even internally, any user with network access could exploit this to reset other users' passwords.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability description suggests simple crafted requests can trigger the flaw. No public exploit code was found in references, but the low complexity makes weaponization likely.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.4.0

Vendor Advisory: http://www.dovestones.com/security-vulnerability-in-ad-self-password-reset-v3-0-3-0/

Restart Required: Yes

Instructions:

1. Download version 3.0.4.0 or later from Dovestones. 2. Backup current installation. 3. Run the installer to upgrade. 4. Restart the application/service. 5. Verify functionality.

🔧 Temporary Workarounds

Network Isolation

all

Restrict network access to the AD Self Password Reset service to only trusted internal networks.

Use firewall rules to block external access to the service port (typically HTTP/HTTPS).

Disable Service

windows

Temporarily disable the password reset functionality until patched.

Stop the service: net stop "Dovestones AD Self Password Reset"
Disable the service: sc config "Dovestones AD Self Password Reset" start= disabled

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the password reset service.
Enable detailed logging and monitoring for password reset attempts and alert on anomalies.

🔍 How to Verify

Check if Vulnerable:

Check the installed version of Dovestones AD Self Password Reset. If version is below 3.0.4.0, it is vulnerable.

Check Version:

Check the application's About section or installed programs list in Windows for version information.

Verify Fix Applied:

Confirm the software version is 3.0.4.0 or higher and test password reset functionality works correctly for authorized users only.

📡 Detection & Monitoring

Log Indicators:

Unusual password reset requests, especially for multiple users or admin accounts
Failed authentication attempts followed by password resets from same IP

Network Indicators:

HTTP requests to the password reset endpoint with crafted parameters
Traffic to the service from unexpected IP ranges

SIEM Query:

source="ADPasswordReset" AND (event="PasswordReset" OR event="ChangePassword") | stats count by user, src_ip | where count > threshold

📊 Metadata

CVE ID: CVE-2015-8267

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-264

Published: December 24, 2015

Last Updated: April 12, 2025

🔗 References

http://www.dovestones.com/security-vulnerability-in-ad-self-password-reset-v3-0-3-0/ Vendor Advisory
http://www.securityfocus.com/bid/79642
https://www.kb.cert.org/vuls/id/757840 Third Party Advisory,US Government Resource
http://www.dovestones.com/security-vulnerability-in-ad-self-password-reset-v3-0-3-0/ Vendor Advisory
http://www.securityfocus.com/bid/79642
https://www.kb.cert.org/vuls/id/757840 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2015-8267, you might also want to check these: