CVE-2025-64400
📋 TL;DR
This vulnerability allows users with enrollment-level edit permissions to create users in organizations they don't belong to or have access to. It affects systems using the Control Panel's user pre-registration API where proper organization-level access checks are missing.
💻 Affected Systems
- Control Panel
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker with enrollment edit permissions could create unauthorized user accounts in any organization, potentially gaining access to sensitive organizational data or resources.
Likely Case
Accidental or intentional creation of users in wrong organizations, leading to data access violations and potential compliance issues.
If Mitigated
Minimal impact with proper access controls and monitoring in place, limited to minor configuration errors.
🎯 Exploit Status
Requires enrollment edit permissions but no additional technical complexity. Exploitation involves API calls to create users in unauthorized organizations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: https://palantir.safebase.us/?tcuUid=52a9fd2f-1868-48cb-af01-93c589160e19
Restart Required: No
Instructions:
1. Check vendor advisory for patch availability. 2. Apply patch when available. 3. Verify organization-level access checks are implemented in user creation API.
🔧 Temporary Workarounds
Disable User Pre-registration API
allTemporarily disable the vulnerable API endpoint until patch is available
# Configuration dependent - consult system documentation
Implement API Gateway Rules
allAdd organization validation at API gateway level
# Implementation specific to your API gateway
🧯 If You Can't Patch
- Implement strict monitoring of user creation API calls and alert on cross-organization creations
- Review and audit all users with enrollment edit permissions, reduce to minimum necessary
🔍 How to Verify
Check if Vulnerable:
Test if users with enrollment edit permissions can create accounts in organizations they don't belong to via the pre-registration APICheck Version:
# System specific - check Control Panel version documentationVerify Fix Applied:
Verify that organization-level access checks are enforced when creating users through the API📡 Detection & Monitoring
Log Indicators:
- User creation API calls from enrollment editors to organizations they don't belong to
- Failed organization access checks in audit logs
Network Indicators:
- API requests to user creation endpoint with organization IDs not associated with requester
SIEM Query:
source="control_panel" AND action="user_create" AND org_id NOT IN user_orgs