How to fix CVE-2025-22144?

Within 24 hours: Identify all affected systems and apply vendor patches immediately. Monitor vendor channels for patch availability.

Is PHP affected by CVE-2025-22144?

Organizations using NamelessMC face critical risk from CVE-2025-22144 rated CVSS 9.0. Successful exploitation could critically impact the confidentiality, integrity, and availability of affected systems. Proof-of-concept code is publicly available, increasing the risk of exploitation.

CVE-2025-22144

CRITICAL

2025-01-13 [email protected]

9.0

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Mar 28, 2026 - 18:03 vuln.today

PoC Detected

May 13, 2025 - 15:42 vuln.today

Public exploit code

CVE Published

Jan 13, 2025 - 20:15 nvd

CRITICAL 9.0

Description

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability.

Analysis

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Technical Context

This vulnerability is classified under CWE-610. NamelessMC is a free, easy to use & powerful website software for Minecraft servers. A user with admincp.core.emails or admincp.users.edit permissions can validate users and an attacker can reset their password. When the account is successfully approved by email the reset code is NULL, but when the account is manually validated by a user with admincp.core.emails or admincp.users.edit permissions then the reset_code will no longer be NULL but empty. An attacker can request http://localhost/nameless/index.php?route=/forgot_password/&c= and reset the password. As a result an attacker may compromise another users password and take over their account. This issue has been addressed in release version 2.1.3 and all users are advised to upgrade. There are no known workarounds for this vulnerability. Affected products include: Namelessmc Nameless. Version information: version 2.1.3.

Affected Products

Namelessmc Nameless.

Remediation

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.4

CVSS: +45

POC: +20

CVE-2025-22144 vulnerability details – vuln.today

Back

CVE-2025-22144

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-22144

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code