CVE-2025-27500
📋 TL;DR
CVE-2025-27500 is an authentication bypass vulnerability in OpenZiti's admin panel that allows unauthenticated attackers to upload malicious files to the server. This can lead to stored cross-site scripting (XSS) attacks when users access these files through their browsers. Organizations running vulnerable versions of OpenZiti with exposed admin panels are affected.
💻 Affected Systems
- OpenZiti ziti-console
📦 What is this software?
Openziti by Openziti
⚠️ Risk & Real-World Impact
Worst Case
Attackers could upload malicious JavaScript files that execute in admin users' browsers, potentially leading to session hijacking, credential theft, or complete admin panel compromise.
Likely Case
Attackers upload XSS payloads to steal admin session cookies or perform actions on behalf of authenticated users.
If Mitigated
With proper network segmentation and admin panel isolation, impact is limited to the specific admin panel instance.
🎯 Exploit Status
Simple HTTP POST request to /api/upload endpoint with malicious file payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.1
Vendor Advisory: https://github.com/openziti/ziti-console/security/advisories/GHSA-frxm-vm48-5qf2
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Upgrade OpenZiti to version 3.7.1 or later. 3. Restart the OpenZiti services. 4. Verify the /api/upload endpoint is no longer accessible without authentication.
🔧 Temporary Workarounds
Network Access Control
linuxRestrict access to the admin panel using firewall rules or network segmentation
iptables -A INPUT -p tcp --dport [admin_port] -s [trusted_ips] -j ACCEPT
iptables -A INPUT -p tcp --dport [admin_port] -j DROP
Reverse Proxy Authentication
allPlace the admin panel behind a reverse proxy with authentication requirements
🧯 If You Can't Patch
- Implement strict network segmentation to isolate the admin panel from untrusted networks
- Deploy a web application firewall (WAF) with XSS protection rules in front of the admin panel
🔍 How to Verify
Check if Vulnerable:
Attempt to POST a file to /api/upload endpoint without authentication. If successful, system is vulnerable.Check Version:
ziti version | grep -i versionVerify Fix Applied:
Attempt to access /api/upload endpoint without authentication. Should receive 401/403 error or endpoint should not exist.📡 Detection & Monitoring
Log Indicators:
- HTTP POST requests to /api/upload from unauthenticated sources
- File uploads to unexpected locations
Network Indicators:
- Unusual POST requests to admin panel endpoints
- Traffic patterns indicating file uploads
SIEM Query:
source="openziti" AND (uri_path="/api/upload" OR method="POST") AND NOT user_authenticated=true