CVE-2025-66906
📋 TL;DR
This CSRF vulnerability in Turms Admin API allows attackers to trick authenticated administrators into performing unintended actions, potentially granting attackers escalated privileges. It affects all Turms deployments using versions through v0.10.0-SNAPSHOT. The vulnerability requires an attacker to lure an authenticated admin to a malicious page.
💻 Affected Systems
- Turms Admin API
📦 What is this software?
Turms by Turms Im
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative privileges, allowing them to modify system configurations, access sensitive data, or compromise the entire Turms deployment.
Likely Case
Attackers perform unauthorized administrative actions such as creating new admin accounts, modifying user permissions, or changing system settings.
If Mitigated
With proper CSRF protections, the attack fails and no privilege escalation occurs.
🎯 Exploit Status
Exploitation requires an authenticated admin user to visit a malicious page while logged into Turms Admin.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v0.10.0 or later
Vendor Advisory: https://github.com/turms-im/turms
Restart Required: Yes
Instructions:
1. Update Turms to version v0.10.0 or later. 2. Restart the Turms service. 3. Verify CSRF protections are enabled in configuration.
🔧 Temporary Workarounds
Enable CSRF Protection
allManually configure CSRF tokens in Turms Admin API if not already enabled
Configure turms.admin.api.csrf.enabled=true in application properties
Restrict Admin API Access
allLimit access to Admin API endpoints to trusted networks only
Configure firewall rules to restrict access to Turms Admin API port
🧯 If You Can't Patch
- Implement network segmentation to isolate Admin API from untrusted networks
- Require re-authentication for sensitive administrative actions
🔍 How to Verify
Check if Vulnerable:
Check Turms version and verify if CSRF protection is disabled in configurationCheck Version:
Check Turms server logs or configuration for version informationVerify Fix Applied:
Verify Turms version is v0.10.0 or later and CSRF protection is enabled📡 Detection & Monitoring
Log Indicators:
- Multiple failed CSRF token validations
- Unauthorized admin API requests from unexpected sources
Network Indicators:
- Admin API requests without proper referrer headers
- Requests with missing CSRF tokens
SIEM Query:
source_ip NOT IN trusted_networks AND destination_port=admin_api_port AND user_agent=suspicious