CVE-2025-32360
📋 TL;DR
This vulnerability in Zammad allows logged-in customers to view and manipulate shared article drafts intended only for agents. Customers can access confidential information from draft articles and modify them via API calls. This affects Zammad installations running vulnerable versions.
💻 Affected Systems
- Zammad
📦 What is this software?
Zammad by Zammad
⚠️ Risk & Real-World Impact
Worst Case
Customers could read sensitive agent notes, modify draft responses to insert malicious content, or delete important draft communications before agents can send them.
Likely Case
Customers accidentally or intentionally viewing draft content containing internal agent discussions, ticket prioritization notes, or other confidential information.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure of draft content without affecting final ticket communications.
🎯 Exploit Status
Exploitation requires authenticated customer access and involves inspecting browser console or making API calls. No special tools needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.2
Vendor Advisory: https://zammad.com/en/advisories/zaa-2025-03
Restart Required: Yes
Instructions:
1. Backup your Zammad installation and database. 2. Update to Zammad 6.4.2 or later using your package manager or deployment method. 3. Restart Zammad services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict customer API access
allTemporarily limit customer API permissions to reduce manipulation risk
# Configure Zammad permissions to restrict customer API access to ticket drafts
Monitor draft access logs
allIncrease logging and monitoring of draft article access patterns
# Enable detailed audit logging in Zammad configuration
🧯 If You Can't Patch
- Implement network segmentation to restrict customer access to Zammad API endpoints
- Enable enhanced logging and alerting for unusual draft access patterns from customer accounts
🔍 How to Verify
Check if Vulnerable:
Check Zammad version via admin interface or command line. If version is 6.4.0 or 6.4.1, system is vulnerable.Check Version:
zammad versionVerify Fix Applied:
After updating, verify version is 6.4.2 or later. Test that customers cannot access shared draft articles via browser console or API.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to draft endpoints from customer accounts
- Multiple draft access attempts from single customer session
- Draft modification timestamps mismatching agent activity
Network Indicators:
- API requests to /api/v1/tickets/*/articles with draft parameters from customer IPs
- Unusual volume of GET requests to article endpoints
SIEM Query:
source="zammad" AND (uri_path="/api/v1/tickets/*/articles" AND user_role="Customer" AND (query_parameters="draft" OR request_body="draft"))