Skip to main content

ClipBucket CVE-2025-67418

CRITICAL
Use of Hard-coded Credentials (CWE-798)
2025-12-22 cve@mitre.org
9.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Default credentials are network-reachable and require no earned privileges or interaction (AV:N/AC:L/PR:N/UI:N); admin takeover yields full C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (mitre).

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 03:33 vuln.today

DescriptionCVE.org

ClipBucket 5.5.2 is affected by an improper access control issue where the product is shipped or deployed with hardcoded default administrative credentials. An unauthenticated remote attacker can log in to the administrative panel using these default credentials, resulting in full administrative control of the application.

AnalysisAI

Full administrative takeover of ClipBucket 5.5.2 is possible because the video-sharing platform ships with hardcoded default administrative credentials, letting any unauthenticated remote attacker sign into the admin panel and control the entire application. Publicly available exploit material (a Medium write-up) documents the attack, and the CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N). This is a network-reachable, no-interaction flaw, though EPSS is modest at 0.57% (43rd percentile) and it is not currently listed in CISA KEV.

Technical ContextAI

ClipBucket is an open-source PHP-based video-sharing/streaming CMS (vendor identified in CPE as oxygenz:clipbucket). The root cause is CWE-798, Use of Hard-coded Credentials: the distribution embeds a fixed administrator username/password that is present in every default deployment rather than being generated or forced to change on first setup. Because these static credentials are the same across all installations, knowledge of the default pair - which is discoverable from documentation, source, or the published write-up - functions as a universal backdoor into the administrative interface. The CPE string cpe:2.3:a:oxygenz:clipbucket with a wildcard version indicates the affected build is the 5.5.2 line as stated in the description.

RemediationAI

No vendor-released patch or fixed version was identified at time of analysis, so remediation centers on eliminating the default credentials directly: immediately change the administrator username and password from the shipped defaults on every ClipBucket 5.5.2 instance, and verify no other accounts retain default secrets. As compensating controls, restrict access to the administrative panel (e.g., the /admin_area or CMS admin path) to known management IPs via web-server allowlisting or a reverse proxy, and place the admin interface behind a VPN or HTTP authentication gateway - the trade-off is added friction for legitimate administrators and possible breakage of remote management workflows. Monitor authentication logs for successful admin logins from unexpected sources. Consult the referenced write-up (https://medium.com/@arpit03sharma2003/cve-2025-67418-when-default-credentials-become-a-remote-root-button-03be5ee4b927) for the specific default credential values to ensure they are rotated, and track the vendor's channels for an official patched release.

CVE-2026-21875 CRITICAL POC
9.8 Jan 08

ClipBucket v5 (5.5.2-#187 and below) has blind SQL injection in the channel comment functionality via the obj_id paramet

CVE-2026-25728 HIGH POC
7.5 Feb 10

Arbitrary PHP code execution in ClipBucket v5 prior to 5.5.3-#40 through a race condition in file upload validation, whe

CVE-2025-55911 MEDIUM POC
6.5 Sep 18

An issue Clip Bucket v.5.5.2 Build#90 allows a remote attacker to execute arbitrary codes via the file_downloader.php an

CVE-2026-28354 MEDIUM POC
6.5 Feb 27

Unauthorized collection manipulation in ClipBucket v5 prior to 5.5.3 #59 allows authenticated attackers to add or remove

CVE-2025-65113 MEDIUM POC
6.5 Nov 29

ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely

CVE-2026-26997 MEDIUM POC
5.4 Feb 27

Stored cross-site scripting in ClipBucket v5 prior to version 5.5.3 #59 allows authenticated users to inject malicious s

CVE-2026-26005 MEDIUM POC
5.0 Feb 12

ClipBucket v5 before 5.5.3 allows authenticated users to trigger server-side request forgery (SSRF) through the Remote P

CVE-2025-62709 MEDIUM POC
6.8 Nov 20

ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 6.8), this vulnerability is remotely

CVE-2025-64339 HIGH POC
7.2 Nov 07

ClipBucket v5 is an open source video sharing platform. Rated high severity (CVSS 7.2), this vulnerability is remotely e

CVE-2025-64338 MEDIUM POC
5.1 Nov 07

ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 5.1), this vulnerability is remotely

CVE-2025-64336 HIGH POC
7.2 Nov 07

ClipBucket v5 is an open source video sharing platform. Rated high severity (CVSS 7.2), this vulnerability is remotely e

CVE-2025-64114 MEDIUM POC
6.5 Nov 06

ClipBucket v5 is an open source video sharing platform. Rated medium severity (CVSS 6.5), this vulnerability is remotely

Share

CVE-2025-67418 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy