CVE-2025-26844 – This vulnerability in Znuny (formerly OTRS) all... (How to Fix)

Q: What is the severity of CVE-2025-26844?

CVE-2025-26844 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Znuny (formerly OTRS) allows attackers to steal session cookies via cross-site scripting (XSS) attacks because cookies lack the HttpOnly flag. All users of Znuny up to version 7.1.3 are affected. The missing flag enables client-side scripts to access authentication cookies.

📋 TL;DR

This vulnerability in Znuny (formerly OTRS) allows attackers to steal session cookies via cross-site scripting (XSS) attacks because cookies lack the HttpOnly flag. All users of Znuny up to version 7.1.3 are affected. The missing flag enables client-side scripts to access authentication cookies.

💻 Affected Systems

Products:

Znuny

Versions: Through 7.1.3

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All installations using default cookie settings are vulnerable. Custom configurations may also be affected if HttpOnly flag is not explicitly set.

📦 What is this software?

Znuny by Znuny

View all CVEs affecting Znuny →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover leading to data theft, privilege escalation, and complete system compromise through session hijacking.

🟠

Likely Case

Session hijacking allowing unauthorized access to the Znuny interface, potentially exposing sensitive ticket data and user information.

🟢

If Mitigated

Limited impact with proper network segmentation, though XSS vectors could still enable cookie theft from authenticated sessions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires an XSS vector to access cookies. While no public PoC exists, the vulnerability is straightforward to exploit when combined with XSS.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.1.4 or later

Vendor Advisory: https://www.znuny.org/en/advisories/zsa-2025-05

Restart Required: Yes

Instructions:

1. Backup your Znuny installation and database. 2. Download Znuny 7.1.4 or later from the official website. 3. Follow the upgrade instructions in the Znuny documentation. 4. Restart the Znuny service after upgrade.

🔧 Temporary Workarounds

Manual Cookie Configuration

linux

Manually configure Znuny to set HttpOnly flag on cookies via configuration files

Edit Kernel/Config.pm and add: $Self->{HttpOnly} = 1;
Restart Znuny service: systemctl restart znuny

🧯 If You Can't Patch

Implement strict Content Security Policy (CSP) headers to mitigate XSS vectors
Deploy Web Application Firewall (WAF) with XSS protection and cookie security rules

🔍 How to Verify

Check if Vulnerable:

Check if cookies lack HttpOnly flag by inspecting browser developer tools or using: curl -I https://your-znuny-url.com | grep -i set-cookie

Check Version:

znuny.Console.pl Maint::Config::Dump --options='Product' | grep Version

Verify Fix Applied:

Verify cookies now include HttpOnly flag in Set-Cookie headers after patch or configuration change

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts from new locations
Unusual session creation patterns
Administrative actions from unexpected user accounts

Network Indicators:

Unexpected cookie values in HTTP requests
Sessions originating from unusual IP ranges

SIEM Query:

source="znuny.log" ("session hijack" OR "unauthorized access" OR "cookie theft")

📊 Metadata

CVE ID: CVE-2025-26844

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-1004

EPSS Score: 0.09% exploit probability (26.1th percentile)

Published: May 8, 2025

Last Updated: June 12, 2025

🔗 References

https://www.znuny.com Product
https://www.znuny.org/en/advisories/zsa-2025-05 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-26844, you might also want to check these: