CVE-2025-24887 is a medium-severity vulnerability affecting the OpenCTI (Open Cyber Threat Intelligence) platform versions from 6.4.8 up to but not including 6.4.10. OpenCTI is an open-source platform widely used for managing and sharing cyber threat intelligence data. The vulnerability stems from improper access control (CWE-284) and insufficient input validation (CWE-657) in the handling of allow/deny lists that govern which user attributes can be modified. Specifically, a low-privileged user can bypass these controls to modify attributes that should be immutable, such as toggling the 'external' flag on or off, altering their own token value, and editing sensitive attributes like 'otp_qr' and 'otp_activated' related to two-factor authentication. This flaw enables unauthorized changes to user account properties and can be exploited to enumerate existing user accounts, particularly external users, potentially exposing sensitive identity information. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity, requiring only low privileges. The scope is limited to the OpenCTI platform installations running the affected versions. The issue was addressed and patched in version 6.4.10. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 6.3, reflecting a medium severity with impacts on confidentiality, integrity, and availability, and an attack vector of network with low privileges required and no user interaction needed.

For European organizations using OpenCTI versions 6.4.8 to before 6.4.10, this vulnerability poses a significant risk to the confidentiality and integrity of user account information and authentication mechanisms. Since OpenCTI is used to manage sensitive cyber threat intelligence, unauthorized modification of user attributes could lead to privilege escalation, unauthorized access, or disruption of threat intelligence workflows. The ability to enumerate user accounts may expose identities of external collaborators or partners, potentially violating privacy regulations such as GDPR. Furthermore, tampering with two-factor authentication settings could weaken account security, increasing the risk of account compromise. This could undermine trust in the platform and impact incident response capabilities. Although no known exploits exist yet, the ease of exploitation and the critical nature of the data managed by OpenCTI make this a noteworthy threat for European cybersecurity teams relying on this platform.

1. Immediate upgrade of all OpenCTI instances to version 6.4.10 or later to apply the official patch addressing this vulnerability. 2. Conduct an audit of user accounts, especially external users, to detect any unauthorized changes to attributes such as 'external' flags or two-factor authentication settings. 3. Implement strict monitoring and alerting on changes to sensitive user attributes within OpenCTI to detect suspicious activity early. 4. Restrict access to the OpenCTI platform to trusted networks and enforce strong authentication and authorization policies to minimize the risk of low-privileged user exploitation. 5. Review and harden the platform's integration points and API endpoints to ensure that access control policies are correctly enforced. 6. Educate administrators and users about the importance of promptly applying security updates and monitoring account integrity. 7. If feasible, isolate OpenCTI instances handling highly sensitive data to reduce exposure. 8. Consider additional compensating controls such as network segmentation and enhanced logging to support forensic investigations if exploitation occurs.