CVE-2025-63248 – DWSurvey 6.14.0 has an access control vulnerabi... (How to Fix)

Q: What is the severity of CVE-2025-63248?

CVE-2025-63248 has a CVSS score of 7.5 (HIGH). DWSurvey 6.14.0 has an access control vulnerability that allows authenticated users to delete other users' questionnaires by manipulating questionnaire IDs during deletion requests. This affects all DWSurvey 6.14.0 installations where users can delete questionnaires.

📋 TL;DR

DWSurvey 6.14.0 has an access control vulnerability that allows authenticated users to delete other users' questionnaires by manipulating questionnaire IDs during deletion requests. This affects all DWSurvey 6.14.0 installations where users can delete questionnaires.

💻 Affected Systems

Products:

DWSurvey

Versions: 6.14.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All DWSurvey 6.14.0 installations are vulnerable regardless of configuration.

📦 What is this software?

Dwsurvey by Diaowen

View all CVEs affecting Dwsurvey →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious or compromised users could delete all questionnaires in the system, causing complete data loss and service disruption.

🟠

Likely Case

Users accidentally or intentionally delete other users' questionnaires, leading to data loss and potential business impact.

🟢

If Mitigated

With proper access controls, users can only delete their own questionnaires, limiting impact to authorized data.

🌐 Internet-Facing: HIGH - If the application is internet-facing, any authenticated user could exploit this vulnerability remotely.

🏢 Internal Only: HIGH - Even internally, authenticated users can exploit this to delete other users' data.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is simple - just modify questionnaire ID parameter in deletion requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Check vendor repositories for updates or implement workarounds.

🔧 Temporary Workarounds

Implement server-side authorization check

all

Add server-side validation to ensure users can only delete questionnaires they own

Modify questionnaire deletion endpoint to verify ownership before processing

Disable questionnaire deletion

all

Temporarily disable questionnaire deletion functionality

Comment out or remove questionnaire deletion endpoints

🧯 If You Can't Patch

Implement web application firewall rules to block suspicious deletion requests
Enable detailed logging of all questionnaire deletion attempts and monitor for unauthorized access

🔍 How to Verify

Check if Vulnerable:

Test by creating two questionnaires with different IDs, then attempt to delete one by substituting the other's ID in the deletion request.

Check Version:

Check DWSurvey version in application interface or configuration files

Verify Fix Applied:

After implementing fixes, repeat the test - deletion should fail when attempting to delete another user's questionnaire.

📡 Detection & Monitoring

Log Indicators:

Multiple failed deletion attempts
Deletion requests for questionnaire IDs not owned by requesting user
Unusual deletion patterns

Network Indicators:

HTTP POST requests to questionnaire deletion endpoints with modified ID parameters

SIEM Query:

source="dwsurvey" AND action="delete" AND user_id!=questionnaire_owner_id

📊 Metadata

CVE ID: CVE-2025-63248

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-639

EPSS Score: 0.05% exploit probability (16.6th percentile)

Published: November 5, 2025

Last Updated: January 8, 2026

🔗 References

https://gitee.com/wkeyuan/DWSurvey Product
https://github.com/Chen1-Boop/CVE/blob/main/CVE-2025-63248.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63248, you might also want to check these: