CVE-2025-24387
📋 TL;DR
This vulnerability in OTRS Application Server allows session hijacking due to insecure cookie settings in HTTPS sessions. Attackers can steal authentication cookies via cross-site requests, potentially gaining unauthorized access to user sessions. This affects OTRS versions 7.0.X through 2025.X.
💻 Affected Systems
- OTRS Application Server
📦 What is this software?
Otrs by Otrs
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain unauthorized administrative access to OTRS systems, leading to data theft, privilege escalation, and complete system compromise.
Likely Case
Attackers hijack user sessions to access sensitive ticket data, modify configurations, or perform unauthorized actions within the OTRS interface.
If Mitigated
With proper SameSite cookie attributes and HTTPS enforcement, the attack surface is significantly reduced, though not completely eliminated.
🎯 Exploit Status
Exploitation requires user interaction (visiting malicious site) but uses standard web techniques. No authentication needed beyond having a valid session.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check OTRS security advisory for specific patched versions
Vendor Advisory: https://otrs.com/release-notes/otrs-security-advisory-2025-05/
Restart Required: Yes
Instructions:
1. Review OTRS security advisory for patched versions
2. Update OTRS to the latest secure version
3. Restart OTRS services
4. Verify cookie attributes are properly set
🔧 Temporary Workarounds
Configure SameSite Cookie Attributes
allManually set SameSite=Strict or SameSite=Lax attributes for authentication cookies
Modify OTRS configuration to add: SetEnvIf Cookie "^.*OTRSAgentInterface=.*" samesite_strict
Configure web server (Apache/Nginx) to add SameSite attributes to Set-Cookie headers
Enforce HTTPS and Secure Flags
allEnsure all cookies have Secure flag and HTTPS is enforced
Set OTRS configuration: $Self->{'HttpType'} = 'https';
Configure web server to redirect HTTP to HTTPS
🧯 If You Can't Patch
- Implement web application firewall rules to block cross-site request patterns
- Monitor for unusual authentication patterns and session hijacking attempts
🔍 How to Verify
Check if Vulnerable:
Check if authentication cookies lack SameSite attributes by inspecting Set-Cookie headers in browser developer tools or using: curl -I https://your-otrs-url.com | grep -i set-cookieCheck Version:
Check OTRS version via admin interface or system configurationVerify Fix Applied:
Verify cookies now include SameSite=Strict or SameSite=Lax attributes and Secure flag: curl -I https://your-otrs-url.com | grep -i 'set-cookie.*samesite'📡 Detection & Monitoring
Log Indicators:
- Multiple failed login attempts followed by successful login from different IP
- Session IDs being used from unexpected user agents or IP addresses
- Unusual access patterns to sensitive endpoints
Network Indicators:
- Cross-origin requests to OTRS authentication endpoints
- Authentication cookies transmitted without SameSite attributes
SIEM Query:
source="otrs.log" AND ("authentication" OR "session") AND ("different_ip" OR "user_agent_mismatch")