CVE-2025-56676
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Summary
TitanSystems Zender v3.9.7 contains an account takeover vulnerability in its password reset functionality. A temporary password or reset token issued to one user can be used to log in as another user, due to improper validation of token-user linkage. This allows remote attackers to gain unauthorized access to any user account by exploiting the password reset mechanism. The vulnerability occurs because the reset token is not correctly bound to the requesting account and is accepted for other user emails during login, enabling privilege escalation and information disclosure.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://previews.titansystems.ph/zender/dashboard/auth
- https://codecanyon.net/item/zender-android-mobile-devices-as-sms-gateway-saas-platform/26594230
- https://darklotus.medium.com/cve-2025-56676-critical-vulnerability-in-zender-gateway-allows-account-takeover-2b5bcb50c762
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.