CVE-2025-60954 – Microweber CMS 2.0 has weak password requiremen... (How to Fix)

Q: What is the severity of CVE-2025-60954?

CVE-2025-60954 has a CVSS score of 8.3 (HIGH). Microweber CMS 2.0 has weak password requirements that allow users to set extremely simple passwords during password resets, including single-character passwords. This vulnerability affects all Microweber CMS 2.0 installations and can lead to account compromise, including administrative accounts.

📋 TL;DR

Microweber CMS 2.0 has weak password requirements that allow users to set extremely simple passwords during password resets, including single-character passwords. This vulnerability affects all Microweber CMS 2.0 installations and can lead to account compromise, including administrative accounts.

💻 Affected Systems

Products:

Microweber CMS

Versions: 2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of Microweber CMS 2.0 are vulnerable by default; no special configuration required.

📦 What is this software?

Microweber by Microweber

View all CVEs affecting Microweber →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers brute-force weak passwords to compromise administrative accounts, gaining full control over the CMS to deface websites, steal data, or install malware.

🟠

Likely Case

Attackers use automated tools to guess weak passwords on user accounts, leading to unauthorized access and potential privilege escalation.

🟢

If Mitigated

With strong password policies enforced, risk is limited to other attack vectors; accounts remain protected against brute-force attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to password reset functionality; automated tools can easily brute-force weak passwords.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available; implement workarounds or upgrade to a patched version if released.

🔧 Temporary Workarounds

Enforce Password Policy via Custom Code

all

Modify Microweber CMS code to enforce minimum password length and complexity during password resets.

Edit password reset validation logic in the CMS source code to require passwords of at least 8 characters with mixed characters.

Use Web Application Firewall (WAF) Rules

all

Configure WAF to block password reset requests with weak passwords based on length or pattern.

Add custom WAF rule to reject POST requests to password reset endpoints with password parameters shorter than 8 characters.

🧯 If You Can't Patch

Monitor for brute-force attempts on password reset endpoints and alert on suspicious activity.
Implement multi-factor authentication (MFA) for all user accounts to reduce impact of password compromise.

🔍 How to Verify

Check if Vulnerable:

Attempt a password reset on the Microweber CMS interface and try setting a single-character password; if accepted, the system is vulnerable.

Check Version:

Check the Microweber CMS admin panel or version file for '2.0'.

Verify Fix Applied:

After applying workarounds, test password reset with weak passwords to ensure they are rejected.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts after password reset, unusual account access from new IPs.

Network Indicators:

High volume of POST requests to password reset endpoints, patterns of short password submissions.

SIEM Query:

source="web_logs" AND url="*/password-reset*" AND status=200 AND password_length<8

📊 Metadata

CVE ID: CVE-2025-60954

CVSS v3 Score: 8.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L

CWE: CWE-521

EPSS Score: 0.06% exploit probability (19th percentile)

Published: October 24, 2025

Last Updated: October 28, 2025

🔗 References

https://gist.github.com/progprnv/feae2b76f2db0cb2ac6e14b1bf7d8646 Exploit,Third Party Advisory
https://github.com/microweber/microweber Product
https://github.com/progprnv/CVE-Reports/blob/main/CVE-2025-60954 Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-60954, you might also want to check these: