CVE-2025-24968

Name of the Vulnerable Software and Affected Versions: reNgine versions up to and including 2.20

Description: An unrestricted project deletion vulnerability in reNgine allows attackers with specific roles, such as penetration tester or auditor, to delete all projects in the system. This can lead to a complete system takeover by redirecting the attacker to the onboarding page, where they can add or modify users, including Sys Admins, and configure critical settings like API keys and user preferences.

Recommendations: For versions up to and including 2.20, update to version 2.21 to resolve the issue. As a temporary workaround, consider restricting access to the penetration tester and auditor roles to minimize the risk of exploitation. Restrict access to the onboarding page to prevent attackers from adding or modifying users and configuring critical settings. Avoid using the vulnerable project deletion feature until the issue is resolved.