CVE-2025-24968 - Unrestricted Project Deletion Vulnerability in reNgine Reconnaissance Framework Leading to Complete System Takeover

reNgine is an automated reconnaissance framework for web applications designed to help discover security flaws. A critical vulnerability, CVE-2025-24968, has been discovered in all versions up to and including 2.20 of the reNgine framework that allows attackers with specific roles, such as penetration_tester or auditor, to delete all projects in the system without proper authorization. This can ultimately lead to a complete system takeover by redirecting the attacker to the onboarding page, where they can add or modify users, including Sys Admins, and configure critical settings like API keys and user preferences. Users are advised to monitor the project for future releases that address this issue. Currently, there are no known workarounds.

The Vulnerability

Unrestricted project deletion as a result of insufficient access controls in reNgine allows attackers with penetration_tester or auditor roles to delete projects, even though they should not be able to do so.

This can be exploited using the following steps

1. The attacker logs in to the reNgine system using their credentials with a role of penetration_tester or auditor.
2. They find the project ID they wish to delete by either guessing it or by finding it through reconnaissance.
3. Using either a web browser's developer tools or a tool like Burp Suite, they intercept the HTTP request to delete the project, which looks like:

DELETE /projects/delete/project_id_here HTTP/1.1
Host: rengine.example.com
User-Agent: Mozilla/5. ...

4. The attacker replaces project_id_here with the actual ID of the project they want to delete and forwards the HTTP request to the server.
5. The server processes the request and the project is deleted without checking if the user has the necessary privileges to do so.

This vulnerability could result in the following damages

- Loss of critical data: All projects within the reNgine system may be deleted, potentially causing irreparable harm to the organization and its reputation.
- System takeover: After deleting all projects, attackers can redirect themselves to the onboarding page and modify users, including Sys Admins, gaining unfettered access to the system.
- Compromise of sensitive data: Attackers can access and manipulate critical settings, such as API keys and user preferences, potentially exposing highly sensitive information.

Solution

Currently, there are no available workarounds or patches for this vulnerability. Users are advised to monitor the reNgine GitHub repository for future updates. It is strongly recommended to apply all future security patches immediately to reduce the risk of exploitation.

References

- reNgine GitHub Repository
- Burp Suite

Timeline

Published on: 02/04/2025 20:15:50 UTC