CVE-2025-6533 is a critical vulnerability identified in the xxyopen novel-plus software, specifically affecting versions 5.1.0 through 5.1.3. The flaw resides in the ajaxLogin function within the novel-admin/src/main/java/com/java2nb/system/controller/LoginController.java file, which handles the CAPTCHA mechanism during authentication. The vulnerability allows an attacker to bypass authentication by performing a capture-replay attack against the CAPTCHA handler. Essentially, an attacker can intercept a legitimate CAPTCHA validation token or response and replay it to gain unauthorized access without needing valid credentials. This attack can be launched remotely over the network without requiring any prior authentication or user interaction. However, the attack complexity is considered high, indicating that exploitation requires significant effort, such as capturing valid tokens during a login session and successfully replaying them before expiration or invalidation. The vulnerability impacts confidentiality, integrity, and availability by enabling unauthorized access to potentially sensitive administrative functions or user accounts. The vendor has been notified but has not responded or provided a patch, and while no known exploits are currently observed in the wild, the exploit details have been publicly disclosed, increasing the risk of future exploitation. The CVSS 4.0 base score is 6.3 (medium severity), reflecting network attack vector, high attack complexity, no privileges or user interaction required, and low impact on confidentiality, integrity, and availability individually but combined to a moderate overall impact.

For European organizations using xxyopen novel-plus versions 5.1.0 to 5.1.3, this vulnerability presents a significant risk of unauthorized access to administrative or user accounts. This could lead to data breaches, unauthorized modifications, or disruption of services relying on the affected software. Given that novel-plus is a specialized product, organizations in sectors such as publishing, digital content management, or software development that utilize this platform may be particularly impacted. The ability to bypass authentication remotely without user interaction increases the threat surface, especially for internet-facing deployments. Although exploitation complexity is high, the public disclosure of exploit details raises the likelihood of targeted attacks, particularly against high-value targets. The lack of vendor response and patches exacerbates the risk, potentially leading to prolonged exposure. Confidentiality could be compromised through unauthorized data access, integrity through unauthorized changes, and availability if attackers disrupt services or lock out legitimate users. This vulnerability could also be leveraged as a foothold for further lateral movement within networks.

1. Immediate mitigation should include restricting external access to the affected ajaxLogin endpoint by implementing network-level controls such as IP whitelisting, VPN access, or web application firewalls (WAF) with custom rules to detect and block replayed CAPTCHA tokens. 2. Deploy monitoring and logging focused on authentication attempts, especially repeated or anomalous login requests that may indicate replay attacks. 3. Implement additional multi-factor authentication (MFA) mechanisms independent of the vulnerable CAPTCHA system to add a layer of security. 4. If possible, disable or replace the vulnerable CAPTCHA handler with a more secure alternative that includes nonce or timestamp validation to prevent replay. 5. Engage in active threat hunting for signs of exploitation and prepare incident response plans tailored to potential unauthorized access scenarios. 6. Since no official patch is available, consider isolating or segmenting systems running novel-plus to limit potential lateral movement. 7. Regularly check for vendor updates or community patches and plan for timely application once available. 8. Educate administrators and users about the risks and signs of compromise related to this vulnerability.