CVE-2025-64102
📋 TL;DR
Zitadel identity infrastructure software versions prior to 4.6.0, 3.4.3, and 2.71.18 are vulnerable to online brute-force attacks on OTP, TOTP, and passwords. The lockout mechanism to prevent such attacks is disabled by default and could cause denial of service if enabled. All Zitadel users with affected versions are at risk.
💻 Affected Systems
- Zitadel
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Attackers could brute-force user credentials or multi-factor authentication codes, leading to account takeover and unauthorized access to protected systems and data.
Likely Case
Targeted brute-force attacks against administrative or high-value accounts, potentially compromising authentication security.
If Mitigated
Limited impact with proper lockout mechanisms enabled, though this could lead to denial of service for legitimate users.
🎯 Exploit Status
Brute-force attacks are well-understood and easy to automate. No authentication required to attempt attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.6.0, 3.4.3, or 2.71.18
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-xrw9-r35x-x878
Restart Required: Yes
Instructions:
1. Identify your Zitadel version. 2. Upgrade to 4.6.0, 3.4.3, or 2.71.18 based on your major version. 3. Restart Zitadel services. 4. Verify the upgrade completed successfully.
🔧 Temporary Workarounds
Enable Lockout Mechanism
allManually enable account lockout after failed authentication attempts to mitigate brute-force attacks.
Configure in Zitadel settings: Enable 'Lockout' feature for OTP, TOTP, and password authentication.
🧯 If You Can't Patch
- Enable and configure lockout mechanisms in Zitadel settings to limit failed authentication attempts.
- Implement network-level rate limiting or WAF rules to restrict authentication request frequency.
🔍 How to Verify
Check if Vulnerable:
Check Zitadel version via admin interface or configuration files. If version is below 4.6.0, 3.4.3, or 2.71.18, it is vulnerable.Check Version:
zitadel version (CLI) or check admin dashboardVerify Fix Applied:
Confirm version is 4.6.0, 3.4.3, or 2.71.18 or higher. Test that lockout mechanisms are properly enforced.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from single IP or user
- Unusual spike in authentication requests
- Account lockout events
Network Indicators:
- High volume of POST requests to authentication endpoints
- Requests with varying OTP/password values
SIEM Query:
source="zitadel" AND (event="authentication_failed" OR event="account_locked") | stats count by src_ip, user