CVE-2025-25967 – Acora CMS version 10.1.1 has a Cross-Site Reque... (How to Fix)

Q: What is the severity of CVE-2025-25967?

CVE-2025-25967 has a CVSS score of 8.8 (HIGH). Acora CMS version 10.1.1 has a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to trick authenticated users into performing unauthorized actions like account deletion or user creation. This affects all users with administrative or authenticated access to vulnerable Acora CMS installations.

📋 TL;DR

Acora CMS version 10.1.1 has a Cross-Site Request Forgery (CSRF) vulnerability that allows attackers to trick authenticated users into performing unauthorized actions like account deletion or user creation. This affects all users with administrative or authenticated access to vulnerable Acora CMS installations.

💻 Affected Systems

Products:

Acora CMS

Versions: 10.1.1

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Acora CMS 10.1.1 are vulnerable regardless of configuration.

📦 What is this software?

Acora Cms by Ddsn

View all CVEs affecting Acora Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the CMS instance including deletion of all accounts, creation of attacker-controlled administrator accounts, and potential data destruction.

🟠

Likely Case

Unauthorized account creation or privilege escalation leading to attacker persistence and data exfiltration.

🟢

If Mitigated

Limited impact with proper CSRF protections and user awareness training.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires the victim to be authenticated and visit a malicious page while logged into Acora CMS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement CSRF Tokens

all

Add CSRF protection tokens to all state-changing forms and API endpoints

Manual code modification required - add CSRF tokens to forms and validate on server-side

SameSite Cookie Attribute

all

Set SameSite=Strict or SameSite=Lax attributes on session cookies

Set-Cookie: session=value; SameSite=Strict; Secure; HttpOnly

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to detect and block CSRF patterns
Require re-authentication for sensitive actions and implement additional confirmation steps

🔍 How to Verify

Check if Vulnerable:

Check if Acora CMS version is 10.1.1 and forms lack CSRF tokens

Check Version:

Check CMS admin panel or configuration files for version information

Verify Fix Applied:

Verify that all forms include CSRF tokens and they are properly validated server-side

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts followed by successful state-changing requests
Unusual user creation or deletion events

Network Indicators:

Requests to sensitive endpoints without Referer headers or with external Referers

SIEM Query:

source="acora_cms" AND (event="user_created" OR event="user_deleted" OR event="privilege_change") AND referer NOT CONTAINS "yourdomain.com"

📊 Metadata

CVE ID: CVE-2025-25967

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

EPSS Score: 0.25% exploit probability (48.1th percentile)

Published: March 3, 2025

Last Updated: March 6, 2025

🔗 References

https://github.com/padayali-JD/CVE-2025-25967 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-25967, you might also want to check these: