CVE-2025-24977 is a critical vulnerability classified under CWE-94 (Improper Control of Generation of Code, commonly known as Code Injection) affecting the OpenCTI platform, an open-source cyber threat intelligence solution. This vulnerability exists in versions prior to 6.4.11. The root cause lies in the improper handling of web-hooks by users who possess the 'manage customizations' capability. Such users can exploit this flaw to execute arbitrary commands on the underlying infrastructure hosting OpenCTI. The exploitation results in the attacker obtaining a root shell inside the container environment, which effectively grants full control over the container and potentially the host infrastructure. This level of access enables attackers to access sensitive internal server-side secrets, manipulate or exfiltrate data, and pivot to other parts of the network for further attacks. The vulnerability is remotely exploitable over the network without requiring user interaction, but it does require that the attacker has elevated privileges (manage customizations capability) within the OpenCTI platform. The CVSS v3.1 score is 9.1 (critical), reflecting the high impact on confidentiality, integrity, and availability, as well as the ease of exploitation given the privilege level. The issue was addressed and fixed in OpenCTI version 6.4.11, making timely patching essential to mitigate the risk. No known exploits are currently reported in the wild, but the severity and nature of the vulnerability make it a significant risk for organizations relying on OpenCTI for threat intelligence operations.

For European organizations, the impact of CVE-2025-24977 can be severe. OpenCTI is used by cybersecurity teams to collect, analyze, and share threat intelligence data critical for defending against cyber threats. Compromise of the OpenCTI platform through this vulnerability could lead to unauthorized access to sensitive threat intelligence, internal secrets, and potentially other connected systems. This could degrade the organization's ability to detect and respond to cyber threats effectively, increasing the risk of secondary attacks such as ransomware, data breaches, or espionage. Additionally, since the attacker gains root access within the container, they could disrupt availability by destroying or manipulating data and services. The breach of confidentiality and integrity of threat intelligence data could also undermine trust and compliance with European data protection regulations such as GDPR, especially if personal or sensitive data is involved. The critical nature of this vulnerability means that organizations using vulnerable OpenCTI versions face a high risk of operational disruption and reputational damage.

1. Immediate upgrade to OpenCTI version 6.4.11 or later, which contains the patch for this vulnerability. 2. Restrict the 'manage customizations' capability strictly to trusted and essential personnel only, minimizing the number of users who can exploit this vulnerability. 3. Implement strong access controls and multi-factor authentication (MFA) for OpenCTI user accounts, especially those with elevated privileges. 4. Monitor and audit logs for unusual activities related to web-hooks and customization management within OpenCTI to detect potential exploitation attempts. 5. Employ container security best practices, such as running containers with the least privileges necessary and isolating critical infrastructure components to limit lateral movement if a container is compromised. 6. Regularly review and rotate internal server-side secrets and credentials to reduce the impact of potential exposure. 7. Network segmentation to limit access to the OpenCTI infrastructure from untrusted networks. 8. Conduct penetration testing and vulnerability assessments focused on OpenCTI deployments to ensure no residual risks remain post-patching.