CVE-2025-32358 – This vulnerability allows authenticated admin u... (How to Fix)

Q: What is the severity of CVE-2025-32358?

CVE-2025-32358 has a CVSS score of 4.0 (MEDIUM). This vulnerability allows authenticated admin users in Zammad to perform Server-Side Request Forgery (SSRF) attacks. When webhooks return redirect responses, Zammad automatically follows them with GET requests, enabling attackers to probe internal networks. Only Zammad instances with admin users are affected.

📋 TL;DR

This vulnerability allows authenticated admin users in Zammad to perform Server-Side Request Forgery (SSRF) attacks. When webhooks return redirect responses, Zammad automatically follows them with GET requests, enabling attackers to probe internal networks. Only Zammad instances with admin users are affected.

💻 Affected Systems

Products:

Zammad

Versions: 6.4.x before 6.4.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated admin user access to configure webhooks.

📦 What is this software?

Zammad by Zammad

View all CVEs affecting Zammad →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could scan internal networks, access internal services, or combine with other vulnerabilities to pivot deeper into infrastructure.

🟠

Likely Case

Internal network reconnaissance and potential data exposure from internal services that respond to GET requests.

🟢

If Mitigated

Limited to authenticated admin users only, reducing attack surface significantly.

🌐 Internet-Facing: MEDIUM - Internet-facing Zammad instances are vulnerable if admin credentials are compromised.

🏢 Internal Only: MEDIUM - Internal instances still pose risk if admin users are compromised or malicious.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin credentials but is straightforward once obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.4.2

Vendor Advisory: https://zammad.com/en/advisories/zaa-2025-01

Restart Required: Yes

Instructions:

1. Backup your Zammad instance. 2. Update to Zammad 6.4.2 or later. 3. Restart Zammad services. 4. Verify webhook functionality.

🔧 Temporary Workarounds

Restrict Webhook Configuration

all

Limit webhook configuration to trusted admin users only and monitor webhook creation.

Network Segmentation

all

Place Zammad in restricted network segment to limit internal network access.

🧯 If You Can't Patch

Implement strict access controls for admin accounts with MFA
Monitor and audit all webhook creation and configuration changes

🔍 How to Verify

Check if Vulnerable:

Check Zammad version via admin interface or 'zammad version' command. If version is 6.4.0 or 6.4.1, you are vulnerable.

Check Version:

zammad version

Verify Fix Applied:

Verify version is 6.4.2 or later and test webhook redirect behavior.

📡 Detection & Monitoring

Log Indicators:

Unusual webhook creation patterns
Multiple redirect responses from webhook endpoints
Admin user configuring unexpected webhooks

Network Indicators:

Zammad making unexpected GET requests to internal IPs
Webhook traffic to unusual destinations

SIEM Query:

source="zammad" AND (event="webhook_created" OR event="webhook_triggered") AND user_role="admin"

📊 Metadata

CVE ID: CVE-2025-32358

CVSS v3 Score: 4.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

CWE: CWE-918

EPSS Score: 0.17% exploit probability (38th percentile)

Published: April 5, 2025

Last Updated: April 15, 2025

🔗 References

https://zammad.com/en/advisories/zaa-2025-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32358, you might also want to check these: