Password Reset Exploit in Movable Type Software by Six Apart
CVE-2025-53522

6.9MEDIUM

Key Information:

Vendor: Six Apart Ltd.
Status: Movable Type (software Edition); Movable Type Advanced (software Edition); Movable Type Premium (software Edition); Movable Type Premium (advanced Edition) (software Edition)
Vendor: CVE Published:; 20 August 2025

🔔 Create Six Apart Ltd. Vulnerability Alert

What is CVE-2025-53522?

Movable Type has a vulnerability that arises from the handling of untrusted sources. This security flaw permits an unauthorized remote attacker to forge a password reset email, potentially leading to unauthorized account access. By exploiting this vulnerability, attackers can manipulate email communications critical to user account integrity, emphasizing the need for immediate updates and security audits by users of the affected versions.

Affected Version(s)

Movable Type (Cloud Edition) 8.6.0 (8 series)

Movable Type (Cloud Edition) 7 r.5508 (7 series)

Movable Type (Software Edition) 8.0.0 to 8.0.6

References

https://movabletype.org/news/2025/08/mt-843-released.html

https://jvn.jp/en/jp/JVN76729865/

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

CVSS V3.0

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 20, 2025
Vulnerability Reserved
Aug 14, 2025

JSON