CyberHappenings logo
☰
🏠 Home πŸ“‚ Browse ℹ️ About

Track cybersecurity events as they unfold. Sourced timelines, daily updates. Fast, privacy‑respecting. No ads, no tracking.

Critical authentication bypass vulnerabilities in Wondershare RepairIt expose user data and AI models

First reported
Last updated
πŸ“° 1 unique sources, 1 articles

Summary

Hide β–²

Two critical authentication bypass vulnerabilities in Wondershare RepairIt, an AI-powered data repair and photo editing application, were disclosed. These flaws expose private user data and AI models, potentially allowing attackers to execute arbitrary code on customers' endpoints. The vulnerabilities, CVE-2025-10643 and CVE-2025-10644, have CVSS scores of 9.1 and 9.4, respectively. The issues stem from overly permissive cloud access tokens embedded in the application's code, which enable read and write access to sensitive cloud storage. The data is stored without encryption, and the exposed cloud storage contains AI models, software binaries, container images, scripts, and company source code. This exposure could facilitate supply chain attacks and AI model tampering. Trend Micro researchers disclosed the vulnerabilities in April 2025 but have not received a response from Wondershare. Users are advised to restrict interaction with the product until a fix is available.

Timeline

  1. 24.09.2025 16:55 πŸ“° 1 articles Β· ⏱ 1h ago

    Critical authentication bypass vulnerabilities in Wondershare RepairIt disclosed

    Two critical authentication bypass vulnerabilities in Wondershare RepairIt were disclosed. These flaws, CVE-2025-10643 and CVE-2025-10644, expose private user data and AI models, potentially allowing attackers to execute arbitrary code on customers' endpoints. The vulnerabilities stem from overly permissive cloud access tokens embedded in the application's code, which enable read and write access to sensitive cloud storage. The exposed cloud storage contains AI models, software binaries, container images, scripts, and company source code, facilitating supply chain attacks and AI model tampering. Trend Micro disclosed the vulnerabilities in April 2025 but has not received a response from Wondershare. Users are advised to restrict interaction with the product until a fix is available.

    Show sources
    Open in new tab

Information Snippets