CVE-2025-24968 – reNgine Project Deletion Remote Command Execution
The following table lists the changes that have been made to the CVE-2025-24968 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability’s severity, exploitability, or other characteristics.
-
New CVE Received by [email protected]
Feb. 04, 2025
Action Type Old Value New Value Added Description reNgine is an automated reconnaissance framework for web applications. An unrestricted project deletion vulnerability allows attackers with specific roles, such as `penetration_tester` or `auditor` to delete all projects in the system. This can lead to a complete system takeover by redirecting the attacker to the onboarding page, where they can add or modify users, including Sys Admins, and configure critical settings like API keys and user preferences. This issue affects all versions up to and including 2.20. Users are advised to monitor the project for future releases which address this issue. There are no known workarounds. Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-284 Added Reference https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6×79-q396 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 04, 2025
Action Type Old Value New Value Added Reference https://github.com/yogeshojha/rengine/security/advisories/GHSA-3327-6×79-q396