Login Sign Up

CVE-2025-2475

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

Mattermost fails to invalidate user cache when converting accounts to bots, allowing attackers to log in once using the original user credentials. This affects Mattermost instances running vulnerable versions where user-to-bot conversions occur.

💻 Affected Systems

Products:
  • Mattermost
Versions: 10.5.x <= 10.5.1, 10.4.x <= 10.4.3, 9.11.x <= 9.11.9
Operating Systems: All platforms running Mattermost
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects instances where user accounts are converted to bot accounts.

📦 What is this software?

Mattermost Server by Mattermost

View all CVEs affecting Mattermost Server →

Mattermost Server by Mattermost

View all CVEs affecting Mattermost Server →

Mattermost Server by Mattermost

View all CVEs affecting Mattermost Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains unauthorized access to a bot account, potentially accessing sensitive channels, data, or performing malicious actions under the bot's identity.

🟠

Likely Case

Limited one-time access to a bot account, potentially allowing information gathering or limited unauthorized actions before credentials are invalidated.

🟢

If Mitigated

No impact if proper access controls, monitoring, and patching are implemented to prevent exploitation.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires knowledge of credentials for a user account that was converted to a bot.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.5.2, 10.4.4, 9.11.10 or later

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup Mattermost data. 2. Download patched version from Mattermost releases. 3. Stop Mattermost service. 4. Install updated version. 5. Restart Mattermost service. 6. Verify version update.

🔧 Temporary Workarounds

Disable user-to-bot conversions

all

Prevent conversion of user accounts to bot accounts until patched.

# Configure Mattermost to restrict bot creation permissions

Reset bot credentials

all

Manually reset credentials for any bots created from user accounts.

# Use Mattermost CLI or admin console to reset bot tokens

🧯 If You Can't Patch

  • Monitor audit logs for unusual bot login activity
  • Implement strict access controls and review bot permissions

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version via System Console > About or run: mattermost version

Check Version:

mattermost version

Verify Fix Applied:

Confirm version is 10.5.2+, 10.4.4+, or 9.11.10+ and test user-to-bot conversion cache behavior.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected bot login events
  • User-to-bot conversion logs followed by authentication attempts

Network Indicators:

  • Unusual authentication patterns to bot accounts

SIEM Query:

source="mattermost" (event="user_converted_to_bot" OR event="login") | stats count by user

📊 Metadata

CVE ID: CVE-2025-2475
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-303
EPSS Score: 0.19% exploit probability (41.1th percentile)
Published: April 14, 2025
Last Updated: October 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2475, you might also want to check these:

CVE-2022-20695 10.0

This vulnerability allows unauthenticated remote attackers to bypass authentication controls on Cisc...

Same vulnerability type (CWE-303)
CVE-2025-13390 10.0

The WP Directory Kit WordPress plugin has an authentication bypass vulnerability that allows unauthe...

Same vulnerability type (CWE-303)
CVE-2025-12419 9.9

This vulnerability allows authenticated attackers with team creation privileges to take over user ac...

Same vulnerability type (CWE-303)