CVE-2025-8119 is a Cross-Site Request Forgery (CSRF) vulnerability identified in the Polska Akademia Dostępności (PAD) CMS, specifically affecting the password reset functionality across all three templates: www, bip, and www+bip. CSRF vulnerabilities allow an attacker to trick an authenticated user into submitting a forged HTTP request, which in this case is a POST request that changes the currently logged-in user's password to a value defined by the attacker. This attack vector requires the victim to visit a maliciously crafted website, which then silently issues the password reset request without the user's consent or knowledge. The vulnerability is particularly critical because it does not require any prior authentication or elevated privileges from the attacker, and the attack can be executed remotely via social engineering. The PAD CMS product is End-Of-Life (EOL), meaning no patches or security updates will be provided by the vendor to remediate this issue. The CVSS 4.0 base score is 5.1 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required, but requiring user interaction (visiting a malicious site). The impact on confidentiality is none, but integrity is low due to the password change, and availability is unaffected. There are no known exploits in the wild as of the publication date. The vulnerability stems from inadequate anti-CSRF protections in the password reset mechanism, a common web security weakness categorized under CWE-352. Given the EOL status, organizations using PAD CMS must consider alternative mitigation strategies or migration paths.

For European organizations using PAD CMS, this vulnerability poses a significant risk to user account integrity. An attacker exploiting this flaw can hijack user accounts by changing passwords without user consent, potentially leading to unauthorized access to sensitive information or administrative functions within the CMS. This could result in defacement, data leakage, or further compromise of internal systems if the CMS is integrated with other services. Since the product is EOL, organizations cannot rely on vendor patches, increasing their exposure. The attack requires user interaction but no authentication, making it feasible to target employees or administrators via phishing or malicious websites. The impact is heightened in public sector or governmental institutions in Europe that rely on PAD CMS for accessibility-focused content management, as unauthorized access could undermine trust and compliance with data protection regulations such as GDPR. Additionally, the inability to patch the vulnerability may lead to increased operational costs due to the need for compensating controls or migration efforts.

Given the lack of vendor patches, European organizations should implement compensating controls to mitigate this CSRF vulnerability. First, deploy web application firewalls (WAFs) with custom rules to detect and block suspicious POST requests to the password reset endpoint, especially those lacking valid anti-CSRF tokens or originating from untrusted referrers. Second, enforce strict Content Security Policy (CSP) headers to reduce the risk of malicious external scripts executing. Third, implement network-level controls such as restricting access to the CMS administration interface to trusted IP ranges or VPN-only access. Fourth, educate users and administrators about phishing risks and the importance of not visiting untrusted websites while logged into the CMS. Fifth, consider migrating away from PAD CMS to a supported and actively maintained CMS platform with robust security features. Finally, monitor logs for unusual password reset activities and implement multi-factor authentication (MFA) where possible to reduce the impact of compromised credentials.