CVE-2025-35433 – CVE-2025-35433 is an authentication bypass vuln... (How to Fix)

Q: What is the severity of CVE-2025-35433?

CVE-2025-35433 has a CVSS score of 5.0 (MEDIUM). CVE-2025-35433 is an authentication bypass vulnerability in CISA Thorium where previously used tokens remain valid after password resets. This allows attackers with old tokens to maintain access to accounts even after password changes. All Thorium deployments before version 1.1.1 are affected.

📋 TL;DR

CVE-2025-35433 is an authentication bypass vulnerability in CISA Thorium where previously used tokens remain valid after password resets. This allows attackers with old tokens to maintain access to accounts even after password changes. All Thorium deployments before version 1.1.1 are affected.

💻 Affected Systems

Products:

CISA Thorium

Versions: All versions before 1.1.1

Operating Systems: Any OS running Thorium

Default Config Vulnerable: ⚠️ Yes

Notes: All Thorium deployments using default authentication mechanisms are vulnerable.

📦 What is this software?

Thorium by Cisa

View all CVEs affecting Thorium →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers maintain persistent access to compromised accounts even after victims change passwords, enabling continued data theft, privilege escalation, or lateral movement.

🟠

Likely Case

Attackers who previously obtained tokens through phishing, malware, or other means can maintain access to user accounts after password resets.

🟢

If Mitigated

With proper token expiration policies and monitoring, impact is limited to short windows of opportunity for attackers.

🌐 Internet-Facing: MEDIUM - Internet-facing Thorium instances are vulnerable to token reuse attacks, but exploitation requires obtaining valid tokens first.

🏢 Internal Only: MEDIUM - Internal deployments face similar risks, though attack surface may be smaller depending on network segmentation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires obtaining valid authentication tokens through other means first, then using them after password resets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.1

Vendor Advisory: https://github.com/cisagov/thorium/releases/tag/1.1.1

Restart Required: No

Instructions:

1. Backup current Thorium configuration and data. 2. Download Thorium version 1.1.1 from official repository. 3. Replace existing installation with new version. 4. Verify all services are running correctly.

🔧 Temporary Workarounds

Force token invalidation on password reset

all

Manually invalidate all existing tokens when users reset passwords

# Requires custom implementation - no standard command available

🧯 If You Can't Patch

Implement mandatory token rotation policies to expire tokens more frequently
Enhance monitoring for unusual login patterns and token reuse

🔍 How to Verify

Check if Vulnerable:

Check Thorium version - if below 1.1.1, system is vulnerable. Test by resetting a password and attempting to use an old token.

Check Version:

Check Thorium configuration or deployment manifest for version information

Verify Fix Applied:

After upgrading to 1.1.1, test that old tokens become invalid after password resets.

📡 Detection & Monitoring

Log Indicators:

Multiple successful logins with same token ID after password reset events
Token reuse from different IP addresses after password changes

Network Indicators:

Authentication requests using tokens that should be invalidated

SIEM Query:

source="thorium" AND (event="password_reset" OR event="token_validation") | stats count by user, token_id | where count > 1

📊 Metadata

CVE ID: CVE-2025-35433

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-613

EPSS Score: 0.04% exploit probability (11.2th percentile)

Published: September 17, 2025

Last Updated: September 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-35433, you might also want to check these: