CVE-2025-31947 – Mattermost fails to implement account lockout f... (How to Fix)

Q: How do I fix CVE-2025-31947?

1. Backup Mattermost configuration and database. 2. Download patched version from mattermost.com/download. 3. Stop Mattermost service. 4. Replace binary/files with patched version. 5. Restart Mattermost service. 6. Verify version and functionality.

Q: What is the severity of CVE-2025-31947?

CVE-2025-31947 has a CVSS score of 5.8 (MEDIUM). Mattermost fails to implement account lockout for LDAP users after repeated failed login attempts, allowing attackers to perform denial-of-service attacks by locking legitimate LDAP accounts. This affects Mattermost instances configured with LDAP authentication in vulnerable versions.

📋 TL;DR

Mattermost fails to implement account lockout for LDAP users after repeated failed login attempts, allowing attackers to perform denial-of-service attacks by locking legitimate LDAP accounts. This affects Mattermost instances configured with LDAP authentication in vulnerable versions.

💻 Affected Systems

Products:

Mattermost

Versions: 10.6.x <= 10.6.1, 10.5.x <= 10.5.2, 10.4.x <= 10.4.4, 9.11.x <= 9.11.11

Operating Systems: All platforms running Mattermost

Default Config Vulnerable: ✅ No

Notes: Only affects instances with LDAP authentication configured; local authentication and other auth methods are not vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could lock all LDAP user accounts, causing complete service disruption for LDAP-authenticated users until administrators manually unlock accounts or reconfigure authentication.

🟠

Likely Case

Targeted account lockouts against specific users (e.g., administrators, key personnel) causing temporary access denial and operational disruption.

🟢

If Mitigated

Limited impact with monitoring and rapid response to unlock accounts; no data breach or privilege escalation occurs.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and can be performed with simple scripts; LDAP account names must be known or guessed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.6.2, 10.5.3, 10.4.5, 9.11.12

Vendor Advisory: https://mattermost.com/security-updates

Restart Required: Yes

Instructions:

1. Backup Mattermost configuration and database. 2. Download patched version from mattermost.com/download. 3. Stop Mattermost service. 4. Replace binary/files with patched version. 5. Restart Mattermost service. 6. Verify version and functionality.

🔧 Temporary Workarounds

Temporary LDAP Account Lockout Configuration

all

Configure LDAP server to enforce account lockout policies independently of Mattermost

Rate Limiting at Network Level

all

Implement network-level rate limiting for Mattermost login endpoints

🧯 If You Can't Patch

Monitor LDAP account lockout events and implement alerting for unusual patterns
Consider temporarily disabling LDAP authentication or switching to alternative authentication methods

🔍 How to Verify

Check if Vulnerable:

Check Mattermost version and verify LDAP authentication is enabled in System Console > Authentication > LDAP

Check Version:

mattermost version

Verify Fix Applied:

After patching, test LDAP login failures to confirm account lockout now functions properly

📡 Detection & Monitoring

Log Indicators:

Multiple failed LDAP login attempts for same user in short timeframe
LDAP account lockout events in LDAP server logs

Network Indicators:

High volume of POST requests to /api/v4/users/login endpoint from single IP

SIEM Query:

source="mattermost" "login attempt failed" user=* count by user, src_ip | where count > 5

📊 Metadata

CVE ID: CVE-2025-31947

CVSS v3 Score: 5.8 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

CWE: CWE-645

EPSS Score: 0.09% exploit probability (25.8th percentile)

Published: May 15, 2025

Last Updated: October 6, 2025

🔗 References

https://mattermost.com/security-updates Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-31947, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

Mattermost Server by Mattermost

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Temporary LDAP Account Lockout Configuration

Rate Limiting at Network Level

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities