CVE-2025-62781
📋 TL;DR
This vulnerability allows attackers with stolen session tokens to maintain access to PILOS accounts even after users change their passwords. It affects PILOS (Platform for Interactive Live-Online Seminars) users with local accounts. The issue occurs because password changes don't invalidate the current active session token.
💻 Affected Systems
- PILOS (Platform for Interactive Live-Online Seminars)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers maintain persistent unauthorized access to user accounts, potentially accessing sensitive seminar data, recordings, or conducting unauthorized actions as legitimate users.
Likely Case
Attackers who previously obtained session tokens through other vulnerabilities can continue accessing compromised accounts despite password resets.
If Mitigated
With proper session management and token invalidation, attackers lose access immediately upon password changes.
🎯 Exploit Status
Requires attacker to first obtain valid session token through other vulnerabilities or attacks. Password change must occur while attacker has active stolen session.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.8.0
Vendor Advisory: https://github.com/THM-Health/PILOS/security/advisories/GHSA-m8w5-8w3h-72wm
Restart Required: No
Instructions:
1. Backup current PILOS installation and database. 2. Update PILOS to version 4.8.0 or later. 3. Verify the update completed successfully. 4. Test password change functionality to ensure sessions are properly invalidated.
🔧 Temporary Workarounds
Force session termination on password change
allManually invalidate all active sessions when users change passwords by clearing session tokens
Requires code modification to PILOS session management
Implement session timeout policies
allReduce session lifetime to limit window for token misuse
Configure PILOS session timeout settings
🧯 If You Can't Patch
- Monitor for suspicious account activity and force logout all sessions for users who change passwords
- Implement additional authentication factors for sensitive operations
🔍 How to Verify
Check if Vulnerable:
Test if changing password while logged in from multiple devices allows old sessions to remain activeCheck Version:
Check PILOS version in admin interface or configuration filesVerify Fix Applied:
After updating to 4.8.0+, verify that password changes invalidate all active sessions including the current one📡 Detection & Monitoring
Log Indicators:
- Multiple active sessions for same user after password change
- User account activity from unusual locations/times
Network Indicators:
- Session tokens being reused after password reset events
SIEM Query:
Search for password_change events followed by continued session activity from old tokens