CVE-2025-6216
published 2025-06-21CVE-2025-6216: Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on…
PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
29.43%
97.9th percentile
Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application. Was ZDI-CAN-27104.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| allegra | allegra | — | — |
| alltena | allegra | >= 7.0.0 < 7.5.2.70 | 7.5.2.70 |
| alltena | allegra | >= 8.0.0 < 8.1.24 | 8.1.24 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor POST requests to /resetPassword.action with the parameter fromAjax=true; this is the trigger endpoint for the predictable token generation. ↗
- →The password reset token is generated as SHA-256 of the expiry timestamp in milliseconds (server time + 28800000 ms). Detect rapid sequential GET requests to /resetPassword!confirm.action?ctk= with varying token values (brute-force of up to 1000 candidates per second boundary). ↗
- →A successful exploit response contains the string 'com.trackplus.app.logon.ResetPasswordApplication' in the HTTP response body of /resetPassword!confirm.action. ↗
- →The initial password reset request returns JSON containing 'emailSent' and '"success":true'; correlate this with subsequent rapid GET requests to /resetPassword!confirm.action?ctk= from the same source IP to identify exploitation attempts. ↗
- →Allegra installations can be fingerprinted via favicon hash 284403119 on Shodan/FOFA; use this to identify exposed attack surface. ↗
- ·The token brute-force window is bounded by the server's Date header. The attacker reads the Date header from the reset response, adds 28800000 ms (8 hours) to derive the expiry base, then iterates only 1000 millisecond offsets — making the attack highly efficient and completable in seconds. ↗
- ·No authentication is required to trigger the password reset or to confirm the token; the entire exploit chain is unauthenticated. ↗
- ·The vulnerable function is calculateTokenExpDate in the password recovery mechanism; patched versions are 8.1.4 and 7.5.2. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Allegra - Authentication Bypass via Predictable Password Reset Token
nuclei·CVSS 9.8
CVE-2025-6216 [CRITICAL] Allegra - Authentication Bypass via Predictable Password Reset Token
Allegra - Authentication Bypass via Predictable Password Reset Token
Allegra calculateTokenExpDate Password Recovery Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of Allegra. Authentication is not required to exploit this vulnerability. The specific flaw exists within the password recovery mechanism. The issue results from reliance upon a predictable value when generating a password reset token. An attacker can leverage this vulnerability to bypass authentication on the application.
Template:
id: CVE-2025-6216
info:
name: Allegra - Authentication Bypass via Predictable Password Reset Token
author: iamnoooob,pdresearch
severity: critical
description: |
Allegra calculateTokenExpDate Password Recovery Aut
No writeups or analysis indexed.
2025-06-21
Published