CVE-2025-9072
📋 TL;DR
Mattermost SAML authentication redirect vulnerability allows attackers to steal user session cookies via malicious links. When users authenticate through SAML, the system fails to validate redirect URLs, enabling cookie exfiltration to attacker-controlled servers. Affects Mattermost instances with SAML authentication enabled.
💻 Affected Systems
- Mattermost
📦 What is this software?
Mattermost Server by Mattermost
Mattermost Server by Mattermost
Mattermost Server by Mattermost
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal session cookies from all users authenticating via SAML, leading to complete account takeover, data theft, and potential lateral movement within the organization.
Likely Case
Targeted phishing campaigns steal session cookies from specific users, resulting in unauthorized access to Mattermost channels, files, and communications.
If Mitigated
With proper network segmentation and monitoring, impact limited to isolated Mattermost instance with quick detection of anomalous redirects.
🎯 Exploit Status
Exploitation requires user interaction (clicking malicious link) but is straightforward once SAML auth is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 10.10.2, 10.5.10, 10.9.5 or later
Vendor Advisory: https://mattermost.com/security-updates
Restart Required: Yes
Instructions:
1. Backup Mattermost configuration and database. 2. Download patched version from Mattermost downloads page. 3. Stop Mattermost service. 4. Install updated version following Mattermost upgrade guide. 5. Restart Mattermost service. 6. Verify SAML authentication works correctly.
🔧 Temporary Workarounds
Disable SAML Authentication
allTemporarily disable SAML authentication until patching is complete
Edit config.json: set "EnableSaml": false
Restart Mattermost service
Implement WAF Rules
allBlock suspicious redirect patterns in web application firewall
Add WAF rule to block URLs with redirect_to parameter containing external domains
🧯 If You Can't Patch
- Implement strict outbound firewall rules to block Mattermost servers from connecting to external domains
- Deploy network monitoring to detect cookie exfiltration patterns and suspicious redirects
🔍 How to Verify
Check if Vulnerable:
Check Mattermost version and SAML configuration: 1. Run 'mattermost version' command. 2. Verify SAML is enabled in config.json. 3. Confirm version falls within affected ranges.Check Version:
mattermost versionVerify Fix Applied:
1. Confirm version is 10.10.2+, 10.5.10+, or 10.9.5+. 2. Test SAML authentication with various redirect URLs to ensure validation is working. 3. Verify no unauthorized redirects occur during authentication flow.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect URLs in authentication logs
- SAML authentication attempts with external redirect_to parameters
- Failed redirect validation messages
Network Indicators:
- Outbound HTTP POST requests containing session cookies to unfamiliar domains
- Unusual traffic patterns during SAML authentication flows
SIEM Query:
source="mattermost" AND (redirect_to CONTAINS "http://" OR redirect_to CONTAINS "https://") AND NOT redirect_to CONTAINS "yourdomain.com"