Cyber Posture

CVE-2026-25858

CriticalPublic PoC

Published: 07 February 2026

Published
07 February 2026
Modified
07 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0035 57.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time…

more

password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

IA-5 mandates protection of authenticator content from unauthorized disclosure and compromise, directly preventing OTP exposure and improper validation in the password reset workflow.

SI-15 Information Output Filtering good match
prevent

SI-15 requires filtering sensitive information such as OTPs from API responses, blocking unauthenticated attackers from retrieving them using a victim's telephone number.

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 restricts privileged actions like password reset initiation and OTP retrieval to require identification and authentication, eliminating unauthenticated account takeover.

Security SummaryAI

CVE-2026-25858 is an authentication vulnerability (CWE-640) in macrozheng mall version 1.0.3 and prior, specifically within the mall-portal password reset workflow. The flaw stems from the password reset process exposing the one-time password (OTP) directly in the API response and validating reset requests only by comparing the provided OTP against a value stored by telephone number, without any verification of user identity or telephone number ownership. This enables unauthenticated attackers to reset arbitrary user passwords using just a victim's telephone number, which may be known or guessable. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

An unauthenticated attacker with network access can exploit this vulnerability remotely and with low complexity. By obtaining a victim's telephone number, the attacker triggers the password reset flow to retrieve the OTP from the API response, then submits it along with a new password to complete the reset. This results in full account takeover, granting high-impact access to the victim's confidentiality and integrity, such as reading sensitive data or modifying account settings.

Mitigation details are available in related advisories, including the GitHub issue tracker at https://github.com/macrozheng/mall/issues/946, the project website at https://www.macrozheng.com/, and the VulnCheck advisory at https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure.

Details

CWE(s)
CWE-640

Affected Products

macrozheng
mall
≤ 1.0.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated remote attackers to exploit a public-facing web application API flaw in the password reset workflow, directly facilitating arbitrary account takeover.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References