CVE-2026-32865 is a critical security vulnerability affecting OPEXUS eComplaint and eCASE products before version 10.1.0.0. The flaw arises from the inclusion of the secret verification code in the HTTP response when a password reset is requested via the 'ForcePasswordReset.aspx' endpoint. This secret code is intended to be confidential and used to verify the legitimacy of the password reset request. However, because it is exposed directly in the HTTP response, an attacker who knows a valid user's email address can retrieve this code and reset the user's password and security questions without needing to answer any existing security questions or provide authentication. This bypasses standard security controls designed to prevent unauthorized password resets. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information) and CWE-640 (Weak Password Recovery Mechanism). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges or user interaction required, and high impact on confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the vulnerability's nature makes it highly exploitable and dangerous. The affected versions include all prior to 10.1.0.0, and no official patches are listed yet, emphasizing the need for immediate mitigation.

This vulnerability allows attackers to take over user accounts by resetting passwords and security questions without authentication or user interaction, leading to full compromise of user identities within the OPEXUS eComplaint and eCASE systems. The exposure of the secret verification code compromises confidentiality, while unauthorized password resets impact integrity and availability of user accounts. Organizations relying on these products for complaint management or case handling risk unauthorized access to sensitive personal or organizational data, potential data breaches, and disruption of services. The critical severity and ease of exploitation mean attackers can quickly compromise multiple accounts if they know valid email addresses, potentially leading to broader system compromise or data leakage. This could damage organizational reputation, violate privacy regulations, and cause operational disruptions.

Organizations should immediately upgrade OPEXUS eComplaint and eCASE to version 10.1.0.0 or later once available, as this version addresses the vulnerability. Until patches are applied, restrict access to the 'ForcePasswordReset.aspx' endpoint via network controls such as firewalls or web application firewalls (WAF) to limit exposure. Implement monitoring and alerting for unusual password reset requests or multiple resets from the same IP or targeting the same user. Enforce multi-factor authentication (MFA) on user accounts to reduce the impact of compromised credentials. Review and strengthen password reset workflows to ensure secret verification codes are never exposed in responses and that security questions or other verification steps are enforced. Conduct user awareness campaigns to alert users about potential phishing or social engineering attempts exploiting this vulnerability. Finally, audit logs for suspicious activity related to password resets and investigate any anomalies promptly.