CVE-2025-24977
📋 TL;DR
OpenCTI versions before 6.4.11 contain a critical vulnerability where users with 'manage customizations' capability can execute arbitrary commands on the underlying infrastructure via webhook misuse. This allows attackers to obtain root shell access within containers and access internal server secrets. All OpenCTI deployments with users having this capability are affected.
💻 Affected Systems
- OpenCTI
📦 What is this software?
Opencti by Citeum
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the OpenCTI infrastructure, lateral movement to connected systems, exfiltration of sensitive threat intelligence data, and persistent backdoor installation.
Likely Case
Unauthorized command execution leading to data theft, privilege escalation, and container escape to host system.
If Mitigated
Limited impact if proper access controls restrict 'manage customizations' capability to trusted administrators only.
🎯 Exploit Status
Exploitation requires authenticated user with 'manage customizations' capability. The advisory provides technical details that could facilitate exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.11
Vendor Advisory: https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-mf88-g2wq-p7qm
Restart Required: Yes
Instructions:
1. Backup your OpenCTI data and configuration. 2. Update to version 6.4.11 using your deployment method (Docker, Kubernetes, manual). 3. Restart all OpenCTI services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict 'manage customizations' capability
allTemporarily remove 'manage customizations' capability from all non-essential users until patching can be completed.
UPDATE users SET capabilities = array_remove(capabilities, 'manage customizations') WHERE username != 'admin';
🧯 If You Can't Patch
- Immediately audit and restrict 'manage customizations' capability to absolute minimum required users
- Implement network segmentation to isolate OpenCTI from critical infrastructure
🔍 How to Verify
Check if Vulnerable:
Check OpenCTI version via web interface or API. If version is below 6.4.11, the system is vulnerable.Check Version:
docker exec opencti_platform curl -s http://localhost:8080/api/version | grep versionVerify Fix Applied:
Confirm version is 6.4.11 or higher and test that webhook functionality no longer allows command injection.📡 Detection & Monitoring
Log Indicators:
- Unusual webhook creation/modification
- Suspicious command execution in container logs
- Unexpected process spawning
Network Indicators:
- Outbound connections from OpenCTI container to unexpected destinations
- Command and control traffic patterns
SIEM Query:
source="opencti" AND (event="webhook_created" OR event="webhook_modified") AND user!="admin"