CVE-2025-24887
📋 TL;DR
OpenCTI versions 6.4.8 through 6.4.9 contain an authorization bypass vulnerability that allows authenticated users to modify restricted user attributes. Attackers can toggle external user flags, change authentication tokens, and edit OTP settings, potentially enabling user enumeration and privilege escalation. Organizations using affected OpenCTI versions with external users are at risk.
💻 Affected Systems
- OpenCTI Platform
📦 What is this software?
Opencti by Citeum
⚠️ Risk & Real-World Impact
Worst Case
Attackers could compromise external user accounts, bypass multi-factor authentication, enumerate all users, and potentially gain administrative access to the threat intelligence platform.
Likely Case
Low-privileged users can modify their own or other users' authentication settings, potentially bypassing security controls and accessing restricted information.
If Mitigated
With proper network segmentation and monitoring, impact is limited to unauthorized attribute modifications that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated user access. The vulnerability is in the API authorization logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.10
Vendor Advisory: https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-8262-pw2q-5qc3
Restart Required: Yes
Instructions:
1. Backup your OpenCTI instance and database. 2. Update to OpenCTI version 6.4.10 using your deployment method (Docker, manual, etc.). 3. Restart all OpenCTI services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict User Permissions
allTemporarily reduce standard user permissions to minimum required levels
Network Segmentation
allIsolate OpenCTI instance from untrusted networks and limit access to trusted IPs only
🧯 If You Can't Patch
- Implement strict network access controls to limit who can access the OpenCTI interface
- Enable detailed audit logging for all user attribute modifications and monitor for suspicious changes
🔍 How to Verify
Check if Vulnerable:
Check OpenCTI version via web interface admin panel or by inspecting docker container tags if using Docker deployment.Check Version:
docker ps | grep opencti (for Docker deployments) or check package version in deployment methodVerify Fix Applied:
Confirm version is 6.4.10 or later and test that user attribute modifications are properly restricted according to allow/deny lists.📡 Detection & Monitoring
Log Indicators:
- Unauthorized modifications to user.external flag
- Changes to otp_qr or otp_activated fields by non-admin users
- Unexpected token value modifications
Network Indicators:
- Unusual API calls to user modification endpoints from non-admin accounts
SIEM Query:
source="opencti" AND (event_type="user_update" OR event_type="attribute_change") AND user_role!="admin"