ClipBucket
CVE-2025-67418
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Default credentials are network-reachable and require no earned privileges or interaction (AV:N/AC:L/PR:N/UI:N); admin takeover yields full C/I/A impact.
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application.
AnalysisAI
Full administrative takeover of ClipBucket 5.5.2 is possible because the video-sharing platform ships with hardcoded default administrative credentials, letting any unauthenticated remote attacker sign into the admin panel and control the entire application. Publicly available exploit material (a Medium write-up) documents the attack, and the CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N). This is a network-reachable, no-interaction flaw, though EPSS is modest at 0.57% (43rd percentile) and it is not currently listed in CISA KEV.
Technical ContextAI
ClipBucket is an open-source PHP-based video-sharing/streaming CMS (vendor identified in CPE as oxygenz:clipbucket). The root cause is CWE-798, Use of Hard-coded Credentials: the distribution embeds a fixed administrator username/password that is present in every default deployment rather than being generated or forced to change on first setup. Because these static credentials are the same across all installations, knowledge of the default pair - which is discoverable from documentation, source, or the published write-up - functions as a universal backdoor into the administrative interface. The CPE string cpe:2.3:a:oxygenz:clipbucket with a wildcard version indicates the affected build is the 5.5.2 line as stated in the description.
RemediationAI
No vendor-released patch or fixed version was identified at time of analysis, so remediation centers on eliminating the default credentials directly: immediately change the administrator username and password from the shipped defaults on every ClipBucket 5.5.2 instance, and verify no other accounts retain default secrets. As compensating controls, restrict access to the administrative panel (e.g., the /admin_area or CMS admin path) to known management IPs via web-server allowlisting or a reverse proxy, and place the admin interface behind a VPN or HTTP authentication gateway - the trade-off is added friction for legitimate administrators and possible breakage of remote management workflows. Monitor authentication logs for successful admin logins from unexpected sources. Consult the referenced write-up (https://medium.com/@arpit03sharma2003/cve-2025-67418-when-default-credentials-become-a-remote-root-button-03be5ee4b927) for the specific default credential values to ensure they are rotated, and track the vendor's channels for an official patched release.
More in Clipbucket
View allClipBucket v5 (5.5.2-#187 and below) has blind SQL injection in the channel comment functionality via the obj_id paramet
Arbitrary PHP code execution in ClipBucket v5 prior to 5.5.3-#40 through a race condition in file upload validation, whe
An issue Clip Bucket v.5.5.2 Build#90 allows a remote attacker to execute arbitrary codes via the file_downloader.php an
Unauthorized collection manipulation in ClipBucket v5 prior to 5.5.3 #59 allows authenticated attackers to add or remove
ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Stored cross-site scripting in ClipBucket v5 prior to version 5.5.3 #59 allows authenticated users to inject malicious s
ClipBucket v5 before 5.5.3 allows authenticated users to trigger server-side request forgery (SSRF) through the Remote P
ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 6.8), this vulnerability is remotely
ClipBucket v5 is an open source video sharing platform. Rated high severity (CVSS 7.2), this vulnerability is remotely e
ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 5.1), this vulnerability is remotely
ClipBucket v5 is an open source video sharing platform. Rated high severity (CVSS 7.2), this vulnerability is remotely e
ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today