CVE-2025-24968
📋 TL;DR
This vulnerability in reNgine allows attackers with penetration_tester or auditor roles to delete all projects, leading to system takeover via redirection to the onboarding page where they can modify users and critical settings. It affects all versions up to and including 2.20.
💻 Affected Systems
- reNgine
📦 What is this software?
Rengine by Yogeshojha
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise where attacker gains administrative control, modifies all users including Sys Admins, configures API keys, and controls all system settings.
Likely Case
Unauthorized deletion of all reconnaissance projects causing data loss and potential privilege escalation to administrative access.
If Mitigated
Limited impact if proper role-based access controls prevent unauthorized project deletion and restrict onboarding page access.
🎯 Exploit Status
Requires authenticated access with specific roles (penetration_tester or auditor). Exploitation involves project deletion followed by redirection manipulation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 2.20 (monitor project releases)
Vendor Advisory: https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6x79-q396
Restart Required: No
Instructions:
1. Monitor reNgine GitHub releases for version >2.20. 2. Update to the patched version when available. 3. Verify patch by testing project deletion permissions.
🔧 Temporary Workarounds
No known workarounds
allThe advisory states there are no known workarounds for this vulnerability.
🧯 If You Can't Patch
- Immediately restrict or remove penetration_tester and auditor role assignments to minimize attack surface
- Implement strict network segmentation and access controls to limit who can reach the reNgine instance
🔍 How to Verify
Check if Vulnerable:
Check if running reNgine version 2.20 or earlier. Verify if users have penetration_tester or auditor roles.Check Version:
Check reNgine web interface or configuration files for version informationVerify Fix Applied:
After updating, test if penetration_tester or auditor roles can still delete all projects and access onboarding page.📡 Detection & Monitoring
Log Indicators:
- Mass project deletion events
- Unauthorized access to onboarding page
- User role changes from non-admin to admin
Network Indicators:
- Unusual API calls to project deletion endpoints
- Requests to onboarding page from non-admin users
SIEM Query:
source="rengine" AND (event="project_delete" OR event="onboarding_access") AND user_role IN ("penetration_tester", "auditor")