CVE-2025-66910
📋 TL;DR
Turms Server versions v0.10.0-SNAPSHOT and earlier store administrator passwords in plaintext memory after successful login. Attackers with local system access can extract these passwords via memory analysis, bypassing bcrypt protection. This affects all Turms Server deployments using the vulnerable versions.
💻 Affected Systems
- Turms Server
📦 What is this software?
Turms by Turms Im
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrator credentials, leading to complete system compromise, data theft, and privilege escalation across the entire Turms infrastructure.
Likely Case
Local attackers or malicious insiders extract administrator passwords, gaining unauthorized administrative access to the Turms Server management interface.
If Mitigated
With proper access controls and monitoring, impact is limited to credential exposure requiring password resets and investigation.
🎯 Exploit Status
Exploitation requires local system access and memory analysis tools, but the vulnerability is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://github.com/turms-im/turms
Restart Required: Yes
Instructions:
1. Monitor Turms GitHub repository for security updates. 2. Apply patch when available. 3. Restart Turms Server services. 4. Force password reset for all administrator accounts.
🔧 Temporary Workarounds
Memory Protection Controls
allImplement strict access controls to prevent unauthorized local access to Turms Server systems.
Administrator Account Monitoring
allImplement enhanced monitoring and alerting for administrator account activities.
🧯 If You Can't Patch
- Restrict local system access to Turms Server hosts to trusted administrators only
- Implement memory protection mechanisms and disable debugging interfaces on production systems
🔍 How to Verify
Check if Vulnerable:
Check Turms Server version. If version is v0.10.0-SNAPSHOT or earlier, the system is vulnerable.Check Version:
Check Turms Server documentation or configuration files for version informationVerify Fix Applied:
Verify Turms Server version is newer than v0.10.0-SNAPSHOT and check that the BaseAdminService no longer stores plaintext passwords.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator login patterns
- Multiple failed login attempts followed by successful login
Network Indicators:
- Unusual local system access patterns to Turms Server hosts
SIEM Query:
source="turms-server" AND (event="admin_login" OR event="authentication") | stats count by user, src_ip🔗 References
- https://github.com/Xzzz111/public_cve_report/blob/main/CVE-2025-66910_report.md
- https://github.com/turms-im/turms
- https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/bo/AdminInfo.java#L34
- https://github.com/turms-im/turms/blob/develop/turms-server-common/src/main/java/im/turms/server/common/domain/admin/service/BaseAdminService.java#L237
