CVE-2025-64717
📋 TL;DR
This vulnerability in ZITADEL identity management platform allows unauthenticated attackers to bypass organization security controls and perform account takeover. Attackers can use disabled identity providers to link external identities to existing internal user accounts. Organizations using ZITADEL versions 2.50.0 through 2.71.18, 3.x through 3.4.3, or 4.x through 4.6.5 are affected.
💻 Affected Systems
- ZITADEL
📦 What is this software?
Zitadel by Zitadel
Zitadel by Zitadel
Zitadel by Zitadel
⚠️ Risk & Real-World Impact
Worst Case
Full account takeover of administrator or privileged user accounts, leading to complete compromise of identity management system and downstream applications.
Likely Case
Account takeover of regular user accounts, enabling unauthorized access to applications and data protected by ZITADEL authentication.
If Mitigated
Accounts with MFA enabled remain protected; only instance-level IdPs are vulnerable, limiting attack surface.
🎯 Exploit Status
Attack requires knowledge of valid user accounts and access to disabled IdP credentials. No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.71.19, 3.4.4, or 4.6.6
Vendor Advisory: https://github.com/zitadel/zitadel/security/advisories/GHSA-j4g7-v4m4-77px
Restart Required: Yes
Instructions:
1. Backup your ZITADEL instance and configuration. 2. Upgrade to version 2.71.19, 3.4.4, or 4.6.6 depending on your major version. 3. Restart ZITADEL services. 4. Verify the fix by testing authentication flows with disabled IdPs.
🔧 Temporary Workarounds
Enable MFA for all accounts
allMulti-factor authentication prevents account takeover via this vulnerability
Disable instance-level IdPs
allRemove or disable all identity providers configured at instance level
🧯 If You Can't Patch
- Enable MFA for all user accounts immediately
- Audit and disable all instance-level identity providers
🔍 How to Verify
Check if Vulnerable:
Check ZITADEL version and compare against affected ranges. Verify if instance-level IdPs are configured.Check Version:
zitadel version or check ZITADEL admin interface version informationVerify Fix Applied:
After upgrade, attempt authentication with a disabled IdP - it should be properly rejected. Check that organization login policies are enforced.📡 Detection & Monitoring
Log Indicators:
- Authentication attempts from disabled IdPs
- Unexpected user account linking events
- Failed login policy enforcement logs
Network Indicators:
- Authentication requests to disabled IdP endpoints
- Unexpected federation traffic patterns
SIEM Query:
source="zitadel" AND (event="user_linked" OR event="auth_attempt") AND status="success" AND idp_status="disabled"