Two critical vulnerabilities have been disclosed in Wondershare RepairIt, a widely-used software tool for repairing corrupted video, image, and audio files. Tracked as CVE-2025-10643 and CVE-2025-10644, these authentication bypass flaws carry dangerously high CVSS v3.0 base scores of 9.1 and 9.4 respectively, highlighting their potential to enable full system compromise and even support supply-chain attacks.
Security advisories from the National Vulnerability Database (NVD), Zero Day Initiative (ZDI), and multiple vulnerability trackers published on September 17, 2025, underscore the urgency for users to update the application to patched versions immediately. Organizations using Wondershare RepairIt in workflows involving sensitive data and AI models may be especially at risk.
Misconfigured Permissions in Token Management Open the Door to Attackers
At the core of both vulnerabilities is an incorrect assignment of permissions to storage-related access tokens, leading to unauthenticated code execution.
CVE-2025-10644: Improper SAS Token Permissions Enable Remote Code Execution
CVE-2025-10644 stems from incorrect permission assignment to a Shared Access Signature (SAS) token used within Wondershare RepairIt. SAS tokens are typically used to grant restricted access to Azure Storage resources. However, in this case, misconfigured token permissions allow remote attackers to entirely bypass authentication.
According to the Zero Day Initiative and CVE Feed, successful exploitation would permit threat actors to execute arbitrary code on the target system, without needing any valid credentials. This creates a significant risk for:
- Unauthorized system access
- Deployment of malware or ransomware
- Potential delivery paths for supply-chain attacks via manipulated installation media or updates
The flaw’s critical 9.4 CVSS rating reflects the severity of the threat landscape it introduces.
CVE-2025-10643: Storage Account Token Misconfiguration Enables Authentication Bypass
Similarly, CVE-2025-10643 arises from incorrect permission assignments to storage account tokens used by the application. These tokens, which likely facilitate backend storage operations, fail to enforce proper restrictions. The result is another unauthenticated pathway for attackers to penetrate system defenses.
As outlined by the NVD, this vulnerability allows adversaries to bypass authentication checks entirely, enabling unauthorized access to sensitive application functions or stored data. The vulnerability has received a CVSS v3.0 score of 9.1.
Both vulnerabilities share a common pattern: relaxed or incorrect access control over application storage resources, which inadvertently grants malicious actors privileged access to the RepairIt environment.
Supply-Chain Risks, AI Model Impact, and Broader Implications
While both vulnerabilities impact local installations, security researchers warn of wider risks, including potential exploitation in supply-chain scenarios. The RepairIt software is often integrated into enterprise workflows for digital media recovery and file sanitization—processes that may include sensitive data or proprietary AI model outputs.
Advanced Exploitation Scenarios Could Target Enterprise Workflows
The Zero Day Initiative emphasizes that attackers exploiting these flaws could inject payloads into enterprise environments through manipulated recovery jobs. This presents several hypothetical yet technically plausible risks:
- Corrupted media files processed via RepairIt may be used as carriers for embedded malicious code.
- If RepairIt operates in server-based or automated batch environments, an unauthenticated attacker could compromise multiple assets.
- AI model pipelines that rely on repaired inputs (e.g., training from recovered video archives) may inadvertently incorporate tainted data or allow account takeover vectors.
Though no in-the-wild exploitation has been reported, the vulnerability configuration makes these threat scenarios technically feasible and therefore urgent priorities for mitigation.
Urgent Mitigation Steps and Recommendations for Security Teams
Security researchers and databases agree on one urgent course of action: update Wondershare RepairIt to the latest patched version immediately. Given the public disclosure of both CVEs, threat actors now have detailed knowledge of the flaws.
Recommended Steps for Enterprises and End Users
- Update Immediately : Install the latest available version of Wondershare RepairIt. Both vulnerabilities are reportedly addressed in current updates.
- Audit Access Tokens : Review token access settings, especially for systems connected to Azure or other cloud storage accounts used by RepairIt.
- Isolate RepairIT in Sandboxed Environments : Run vulnerable or outdated versions in secured environments only, under strict monitoring.
- Monitor for Anomalous Activity : Pay attention to network connections, file integrity, and system behavior for signs of post-exploitation activity.
Organizations using RepairIt in automated pipelines—particularly those involving AI models, sensitive media, or legal content—should consider additional verification of files processed during the vulnerable period.
Conclusion
CVE-2025-10643 and CVE-2025-10644 represent high-impact security flaws in Wondershare RepairIt, stemming from improper handling of storage-related access tokens. With unauthenticated arbitrary code execution on the table, security teams cannot afford to delay patch implementation.
Enterprises should move quickly to assess exposure, apply mitigations, and revisit their dependency on unsecured token-based storage mechanisms within critical software like RepairIt. As software supply chains and AI workflows grow increasingly interconnected, maintaining rigorous access control and monitoring is more vital than ever.
