CVE-2026-25858: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in macrozheng mall
macrozheng mall version 1. 0. 3 and earlier contains a critical authentication vulnerability in its password reset process. An unauthenticated attacker can reset any user's password by knowing or guessing their telephone number. The vulnerability arises because the one-time password (OTP) is exposed directly in the API response and the system validates password resets solely by matching the OTP to the telephone number without verifying user identity or ownership. This flaw enables remote account takeover without requiring user interaction or privileges.
AI Analysis
Technical Summary
CVE-2026-25858 is a critical authentication vulnerability in macrozheng mall (version 1.0.3 and prior) affecting the password reset workflow. The weakness lies in the password recovery mechanism where the OTP is returned in the API response and password reset requests are validated only by comparing the OTP to a stored value linked to the telephone number. There is no additional verification of user identity or telephone number ownership, allowing an unauthenticated attacker to reset arbitrary user passwords remotely if they know or can guess the victim's phone number. This vulnerability is classified under CWE-640 (Weak Password Recovery Mechanism).
Potential Impact
Successful exploitation allows an unauthenticated attacker to take over any user account by resetting the password remotely. This compromises user account confidentiality and integrity, potentially leading to unauthorized access to sensitive user data and actions within the application. The vulnerability has a CVSS 4.0 base score of 9.3 (critical), reflecting its ease of exploitation and high impact on confidentiality and integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable or restrict the vulnerable password reset functionality and implement additional verification steps to confirm user identity and telephone number ownership during password recovery. Avoid exposing OTPs in API responses and enforce multi-factor verification mechanisms for password resets.
CVE-2026-25858: CWE-640 Weak Password Recovery Mechanism for Forgotten Password in macrozheng mall
Description
macrozheng mall version 1. 0. 3 and earlier contains a critical authentication vulnerability in its password reset process. An unauthenticated attacker can reset any user's password by knowing or guessing their telephone number. The vulnerability arises because the one-time password (OTP) is exposed directly in the API response and the system validates password resets solely by matching the OTP to the telephone number without verifying user identity or ownership. This flaw enables remote account takeover without requiring user interaction or privileges.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-25858 is a critical authentication vulnerability in macrozheng mall (version 1.0.3 and prior) affecting the password reset workflow. The weakness lies in the password recovery mechanism where the OTP is returned in the API response and password reset requests are validated only by comparing the OTP to a stored value linked to the telephone number. There is no additional verification of user identity or telephone number ownership, allowing an unauthenticated attacker to reset arbitrary user passwords remotely if they know or can guess the victim's phone number. This vulnerability is classified under CWE-640 (Weak Password Recovery Mechanism).
Potential Impact
Successful exploitation allows an unauthenticated attacker to take over any user account by resetting the password remotely. This compromises user account confidentiality and integrity, potentially leading to unauthorized access to sensitive user data and actions within the application. The vulnerability has a CVSS 4.0 base score of 9.3 (critical), reflecting its ease of exploitation and high impact on confidentiality and integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, it is recommended to disable or restrict the vulnerable password reset functionality and implement additional verification steps to confirm user identity and telephone number ownership during password recovery. Avoid exposing OTPs in API responses and enforce multi-factor verification mechanisms for password resets.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-02-06T19:12:03.463Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 6987b5ecf9fa50a62fd2db09
Added to database: 2/7/2026, 10:00:12 PM
Last enriched: 4/15/2026, 3:55:32 PM
Last updated: 5/10/2026, 2:07:18 PM
Views: 285
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.