CVE-2025-61782
📋 TL;DR
OpenCTI versions before 6.8.3 contain an open redirect vulnerability in the SAML authentication callback endpoint. Attackers can manipulate the RelayState parameter to redirect users to malicious external websites, enabling phishing attacks and credential theft. All OpenCTI deployments using SAML authentication are affected.
💻 Affected Systems
- OpenCTI
📦 What is this software?
Opencti by Citeum
⚠️ Risk & Real-World Impact
Worst Case
Users are redirected to convincing phishing sites that steal credentials or deliver malware, potentially compromising the entire OpenCTI instance and connected systems.
Likely Case
Attackers use the redirect for phishing campaigns targeting OpenCTI users, potentially stealing credentials or session tokens.
If Mitigated
With proper user awareness training and browser security controls, users may recognize suspicious redirects before entering credentials.
🎯 Exploit Status
Exploitation requires the attacker to craft a malicious SAML callback URL and trick a user into clicking it. No authentication bypass is needed once the user initiates SAML login.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.8.3
Vendor Advisory: https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-jc3f-c62g-v7qw
Restart Required: Yes
Instructions:
1. Backup your OpenCTI instance and database. 2. Update to OpenCTI version 6.8.3 or later. 3. Restart all OpenCTI services. 4. Verify the fix by testing the SAML callback endpoint.
🔧 Temporary Workarounds
Disable SAML Authentication
allTemporarily disable SAML authentication and use alternative authentication methods until patching is possible.
Modify OpenCTI configuration to remove SAML settings and enable basic authentication or other supported methods.
Web Application Firewall Rule
allAdd WAF rules to block malicious redirect attempts through the SAML callback endpoint.
Add rule to block requests to /auth/saml/callback with suspicious RelayState parameters containing external domains.
🧯 If You Can't Patch
- Implement strict URL validation at the network perimeter to block redirects to external domains from the OpenCTI instance.
- Enable browser security features like anti-phishing protection and educate users to verify URLs before entering credentials.
🔍 How to Verify
Check if Vulnerable:
Test the SAML callback endpoint by attempting to redirect to an external domain via the RelayState parameter. If redirect succeeds, the system is vulnerable.Check Version:
Check the OpenCTI web interface admin panel or run: docker exec opencti_platform cat /usr/share/opencti/package.json | grep versionVerify Fix Applied:
After updating to 6.8.3+, test the SAML callback endpoint with malicious RelayState parameters. The system should reject external redirects.📡 Detection & Monitoring
Log Indicators:
- HTTP 302 redirect responses from /auth/saml/callback to external domains
- SAML authentication requests with unusual RelayState parameters
Network Indicators:
- Outbound HTTP redirects from OpenCTI server to unfamiliar external domains following SAML authentication
SIEM Query:
source="opencti" AND (url="/auth/saml/callback" AND status=302 AND redirect_domain NOT IN ("trusted-domains.com"))