cbcvebase.
CVE-2025-10644
published 2025-09-17

CVE-2025-10644: Wondershare Repairit SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass…

PriorityP278critical9.4CVSS 3.0
AVNACLPRNUINSUCHIHAL
EPSS
3.74%
88.5th percentile
Wondershare Repairit SAS Token Incorrect Permission Assignment Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on Wondershare Repairit. Authentication is not required to exploit this vulnerability. The specific flaw exists within the permissions granted to an SAS token. An attacker can leverage this vulnerability to launch a supply-chain attack and execute arbitrary code on customers' endpoints. Was ZDI-CAN-26892.

Affected

1 ranges
VendorProductVersion rangeFixed in
wondersharerepairit

Detection & IOCsextracted from sources · hover to see the quote

  • Hardcoded cloud storage credentials (secret access ID and key) are embedded in the Wondershare Repairit compiled binary executable; analysts should extract strings from the binary to identify cloud object storage identifiers (URLs and API endpoints), a secret access ID and key, and defined bucket names
  • The Wondershare Repairit binary contains hardcoded read AND write credentials to a cloud storage bucket; detection should look for outbound connections from the application to cloud object storage endpoints carrying both read and write operations, which is anomalous for a client app
  • Monitor for the Wondershare Repairit binary initiating downloads of AI model zip files from a cloud storage bucket; the binary is configured with a specific bucket address and AI model zip filename — unexpected zip downloads from cloud storage by this process are a supply-chain attack indicator
  • Alert on the Wondershare Repairit process downloading and executing AI models or executables retrieved from cloud storage; execution of code fetched from a remote bucket by a signed vendor binary is a key supply-chain attack indicator
  • Hunt for signed application executables being downloaded from the same cloud storage bucket used by Wondershare Repairit; the bucket also contains binaries for other Wondershare products, meaning tampered signed binaries could be delivered to users of multiple products
  • ·No specific hardcoded credential values, bucket names, or cloud storage URLs were published in the sources; the exact IOC strings remain undisclosed and must be obtained via binary analysis of the Wondershare Repairit executable
  • ·The vulnerability affects the SAS/cloud-storage token permissions baked into the binary; the affected version range is not specified in the published sources, so all distributed versions of Wondershare Repairit should be treated as potentially affected until the vendor issues a patched release
  • ·The cloud storage bucket contains customer data stored without encryption dating back two years; any forensic investigation must account for the possibility that threat actors have already accessed or modified bucket contents prior to disclosure
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.