CVE-2025-24968

HighPublic PoC

Published: 04 February 2025

Published

04 February 2025

Modified

13 May 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0035 57.6th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may create an account to maintain access to victim systems.

Security Summary

CVE-2025-24968 is an unrestricted project deletion vulnerability in reNgine, an automated reconnaissance framework for web applications. Attackers with specific roles, such as penetration_tester or auditor, can delete all projects in the system, bypassing intended restrictions. This flaw, linked to CWE-284 (Improper Access Control), affects all versions up to and including 2.20 and carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H).

An authenticated attacker possessing a low-privilege role like penetration_tester or auditor can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows deletion of all projects, which redirects the attacker to the onboarding page. From there, they achieve complete system takeover by adding or modifying users—including creating Sys Admins—and configuring critical settings such as API keys and user preferences.

The GitHub security advisory (GHSA-3327-6x79-q396) recommends that users monitor the reNgine project repository for future releases that address this issue, as no patches or known workarounds are currently available.

Details

CWE(s): CWE-284NVD-CWE-noinfo

Affected Products

yogeshojha

rengine

≤ 2.2.0

MITRE ATT&CK Enterprise Techniques

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1485 Data Destruction Impact

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.

attack.mitre.org →

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1136 Create Account Persistence

Adversaries may create an account to maintain access to victim systems.

attack.mitre.org →

Why these techniques?

The vulnerability enables unauthorized deletion of all projects (T1485 Data Destruction) due to improper access control bypass from low-priv roles, directly facilitating privilege escalation (T1068) to perform account creation (T1136) and manipulation (T1098) for full system takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6x79-q396
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6x79-q396
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0