CVE-2025-12421 – This vulnerability allows authenticated Matterm... (How to Fix)

Q: How do I fix CVE-2025-12421?

1. Backup your Mattermost instance. 2. Download the patched version from Mattermost releases. 3. Stop the Mattermost service. 4. Replace the installation with the patched version. 5. Restart the Mattermost service. 6. Verify the update was successful.

Q: What is the severity of CVE-2025-12421?

CVE-2025-12421 has a CVSS score of 9.9 (CRITICAL). This vulnerability allows authenticated Mattermost users to perform account takeover by exploiting a flaw in the SSO code exchange process. Attackers can switch authentication methods using a specially crafted email address to hijack other users' accounts. Affected systems are Mattermost instances with specific vulnerable versions and certain configuration settings enabled.

📋 TL;DR

This vulnerability allows authenticated Mattermost users to perform account takeover by exploiting a flaw in the SSO code exchange process. Attackers can switch authentication methods using a specially crafted email address to hijack other users' accounts. Affected systems are Mattermost instances with specific vulnerable versions and certain configuration settings enabled.

💻 Affected Systems

Products:

Mattermost

Versions: 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12

Operating Systems: All platforms running Mattermost

Default Config Vulnerable: ⚠️ Yes

Notes: Requires ExperimentalEnableAuthenticationTransfer enabled (default: enabled) and RequireEmailVerification disabled (default: disabled)

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover of any user, including administrators, leading to data theft, privilege escalation, and potential lateral movement within the organization.

🟠

Likely Case

Targeted account takeover of specific users, potentially leading to unauthorized access to sensitive communications, file sharing, and team collaboration data.

🟢

If Mitigated

Limited impact if proper email verification is enforced and authentication transfer is disabled, though authenticated users could still attempt exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access and specific configuration settings, but the attack vector is well-documented in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to Mattermost 11.0.3, 10.12.2, 10.11.5, or 10.5.13

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup your Mattermost instance. 2. Download the patched version from Mattermost releases. 3. Stop the Mattermost service. 4. Replace the installation with the patched version. 5. Restart the Mattermost service. 6. Verify the update was successful.

🔧 Temporary Workarounds

Disable Experimental Authentication Transfer

all

Disable the vulnerable feature flag in Mattermost configuration

Set ExperimentalEnableAuthenticationTransfer to false in config.json

Enable Email Verification

all

Require email verification for all user accounts

Set RequireEmailVerification to true in config.json

🧯 If You Can't Patch

Disable ExperimentalEnableAuthenticationTransfer and enable RequireEmailVerification in configuration
Implement network segmentation to restrict access to Mattermost and monitor for suspicious authentication attempts

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version via System Console > About Mattermost and verify configuration settings for ExperimentalEnableAuthenticationTransfer and RequireEmailVerification

Check Version:

For Linux: grep 'Version' /opt/mattermost/config/config.json or check System Console web interface

Verify Fix Applied:

Confirm version is updated to 11.0.3, 10.12.2, 10.11.5, or 10.5.13 in System Console > About Mattermost

📡 Detection & Monitoring

Log Indicators:

Multiple failed SSO authentication attempts from same IP
Unusual authentication method switching patterns
Suspicious requests to /users/login/sso/code-exchange endpoint

Network Indicators:

Abnormal traffic patterns to SSO endpoints
Multiple authentication requests with different email addresses from same source

SIEM Query:

source="mattermost" AND (uri_path="/users/login/sso/code-exchange" OR message="authentication transfer")

📊 Metadata

CVE ID: CVE-2025-12421

CVSS v3 Score: 9.9 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-303

EPSS Score: 0.1% exploit probability (26.7th percentile)

Published: November 27, 2025

Last Updated: December 3, 2025

🔗 References

https://mattermost.com/security-updates Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12421, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable Experimental Authentication Transfer

Enable Email Verification

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities