CVE-2021-32648
Published: January 18, 2022
Official Description
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
CISA KEV Advisory
October CMS Improper Authentication
In affected versions of the october/system package an attacker can request an account password reset and then gain access to the account using a specially crafted request.
Apply updates per vendor instructions.
Risk Analysis
A vulnerability in the october/system package allows an attacker to request an account password reset and then gain access to the account using a specially crafted request. The high EPSS score of 0.93036 indicates a strong likelihood of exploitation, and its inclusion in CISA's KEV catalog confirms it is actively being exploited. This poses a significant account compromise risk.
This vulnerability is actively exploited in the wild, indicating an immediate threat to systems using the affected october/system package. The flaw is remotely exploitable, allowing attackers to compromise user accounts.
Apply the latest security patches and updates for the october/system package. Implement strong password policies and multi-factor authentication for all accounts to mitigate the impact of password reset vulnerabilities.
Technical Analysis
CVE-2021-32648 requires local access, meaning attackers must already have a foothold on the target system.
Exploitation requires some privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
CISA has added CVE-2021-32648 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. U.S. federal agencies are required to patch this within the mandated timeframe, and all organizations should treat remediation as urgent.
Exploit & PoC Resources
All References (1)
Quick Facts
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2021-32648 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts
- !CISA KEV: Federal agencies must patch per BOD 22-01 timeline
- !Active exploitation confirmed — treat as P1