## https://sploitus.com/exploit?id=3B6BED06-F9FA-5030-8647-DD34135A19B0
# CVE-2025-27580: Unauthenticated Account Takeover in NIH BRICS
NIH BRICS (aka Biomedical Research Informatics Computing System) through 14.0.0-67 generates predictable tokens (that depend on username, time, and the fixed 7Dl9#dj- string) and thus allows unauthenticated users with a Common Access Card (CAC) to escalate privileges and compromise any account, including administrators.
Published a write-up: https://bugculture.io/CVE-2025-27580/
Discovered by Chandler Rose (Founder/Security Consultant), February 2025.
References:
- https://vulners.com/cve/CVE-2025-27580