CVE-2025-24887: CWE-284: Improper Access Control in OpenCTI-Platform opencti
OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the `external` flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as `otp_qr` and `otp_activated`. If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10.
AI Analysis
Technical Summary
CVE-2025-24887 is a medium-severity vulnerability affecting the OpenCTI (Open Cyber Threat Intelligence) platform versions from 6.4.8 up to but not including 6.4.10. OpenCTI is an open-source platform widely used for managing and sharing cyber threat intelligence data. The vulnerability stems from improper access control (CWE-284) and insufficient input validation (CWE-657) in the handling of allow/deny lists that govern which user attributes can be modified. Specifically, a low-privileged user can bypass these controls to modify attributes that should be immutable, such as toggling the 'external' flag on or off, altering their own token value, and editing sensitive attributes like 'otp_qr' and 'otp_activated' related to two-factor authentication. This flaw enables unauthorized changes to user account properties and can be exploited to enumerate existing user accounts, particularly external users, potentially exposing sensitive identity information. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity, requiring only low privileges. The scope is limited to the OpenCTI platform installations running the affected versions. The issue was addressed and patched in version 6.4.10. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 6.3, reflecting a medium severity with impacts on confidentiality, integrity, and availability, and an attack vector of network with low privileges required and no user interaction needed.
Potential Impact
For European organizations using OpenCTI versions 6.4.8 to before 6.4.10, this vulnerability poses a significant risk to the confidentiality and integrity of user account information and authentication mechanisms. Since OpenCTI is used to manage sensitive cyber threat intelligence, unauthorized modification of user attributes could lead to privilege escalation, unauthorized access, or disruption of threat intelligence workflows. The ability to enumerate user accounts may expose identities of external collaborators or partners, potentially violating privacy regulations such as GDPR. Furthermore, tampering with two-factor authentication settings could weaken account security, increasing the risk of account compromise. This could undermine trust in the platform and impact incident response capabilities. Although no known exploits exist yet, the ease of exploitation and the critical nature of the data managed by OpenCTI make this a noteworthy threat for European cybersecurity teams relying on this platform.
Mitigation Recommendations
1. Immediate upgrade of all OpenCTI instances to version 6.4.10 or later to apply the official patch addressing this vulnerability. 2. Conduct an audit of user accounts, especially external users, to detect any unauthorized changes to attributes such as 'external' flags or two-factor authentication settings. 3. Implement strict monitoring and alerting on changes to sensitive user attributes within OpenCTI to detect suspicious activity early. 4. Restrict access to the OpenCTI platform to trusted networks and enforce strong authentication and authorization policies to minimize the risk of low-privileged user exploitation. 5. Review and harden the platform's integration points and API endpoints to ensure that access control policies are correctly enforced. 6. Educate administrators and users about the importance of promptly applying security updates and monitoring account integrity. 7. If feasible, isolate OpenCTI instances handling highly sensitive data to reduce exposure. 8. Consider additional compensating controls such as network segmentation and enhanced logging to support forensic investigations if exploitation occurs.
Affected Countries
France, Germany, United Kingdom, Netherlands, Belgium, Sweden, Finland, Italy, Spain, Poland
CVE-2025-24887: CWE-284: Improper Access Control in OpenCTI-Platform opencti
Description
OpenCTI is an open-source cyber threat intelligence platform. In versions starting from 6.4.8 to before 6.4.10, the allow/deny lists can be bypassed, allowing a user to change attributes that are intended to be unmodifiable by the user. It is possible to toggle the `external` flag on/off and change the own token value for a user. It is also possible to edit attributes that are not in the allow list, such as `otp_qr` and `otp_activated`. If external users exist in the OpenCTI setup and the information about these users identities is sensitive, the above vulnerabilities can be used to enumerate existing user accounts as a standard low privileged user. This issue has been patched in version 6.4.10.
AI-Powered Analysis
Technical Analysis
CVE-2025-24887 is a medium-severity vulnerability affecting the OpenCTI (Open Cyber Threat Intelligence) platform versions from 6.4.8 up to but not including 6.4.10. OpenCTI is an open-source platform widely used for managing and sharing cyber threat intelligence data. The vulnerability stems from improper access control (CWE-284) and insufficient input validation (CWE-657) in the handling of allow/deny lists that govern which user attributes can be modified. Specifically, a low-privileged user can bypass these controls to modify attributes that should be immutable, such as toggling the 'external' flag on or off, altering their own token value, and editing sensitive attributes like 'otp_qr' and 'otp_activated' related to two-factor authentication. This flaw enables unauthorized changes to user account properties and can be exploited to enumerate existing user accounts, particularly external users, potentially exposing sensitive identity information. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity, requiring only low privileges. The scope is limited to the OpenCTI platform installations running the affected versions. The issue was addressed and patched in version 6.4.10. No known exploits are currently reported in the wild. The CVSS v3.1 base score is 6.3, reflecting a medium severity with impacts on confidentiality, integrity, and availability, and an attack vector of network with low privileges required and no user interaction needed.
Potential Impact
For European organizations using OpenCTI versions 6.4.8 to before 6.4.10, this vulnerability poses a significant risk to the confidentiality and integrity of user account information and authentication mechanisms. Since OpenCTI is used to manage sensitive cyber threat intelligence, unauthorized modification of user attributes could lead to privilege escalation, unauthorized access, or disruption of threat intelligence workflows. The ability to enumerate user accounts may expose identities of external collaborators or partners, potentially violating privacy regulations such as GDPR. Furthermore, tampering with two-factor authentication settings could weaken account security, increasing the risk of account compromise. This could undermine trust in the platform and impact incident response capabilities. Although no known exploits exist yet, the ease of exploitation and the critical nature of the data managed by OpenCTI make this a noteworthy threat for European cybersecurity teams relying on this platform.
Mitigation Recommendations
1. Immediate upgrade of all OpenCTI instances to version 6.4.10 or later to apply the official patch addressing this vulnerability. 2. Conduct an audit of user accounts, especially external users, to detect any unauthorized changes to attributes such as 'external' flags or two-factor authentication settings. 3. Implement strict monitoring and alerting on changes to sensitive user attributes within OpenCTI to detect suspicious activity early. 4. Restrict access to the OpenCTI platform to trusted networks and enforce strong authentication and authorization policies to minimize the risk of low-privileged user exploitation. 5. Review and harden the platform's integration points and API endpoints to ensure that access control policies are correctly enforced. 6. Educate administrators and users about the importance of promptly applying security updates and monitoring account integrity. 7. If feasible, isolate OpenCTI instances handling highly sensitive data to reduce exposure. 8. Consider additional compensating controls such as network segmentation and enhanced logging to support forensic investigations if exploitation occurs.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-01-27T15:32:29.450Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d983ac4522896dcbed87d
Added to database: 5/21/2025, 9:09:14 AM
Last enriched: 6/25/2025, 11:48:18 AM
Last updated: 8/18/2025, 5:01:35 PM
Views: 18
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.