Karl.Fail

CVE-2025-24977: Critical Code Injection Vulnerability in OpenCTI

Written by

Karl

in

on

(Last update:

)

Overview

A critical vulnerability has been disclosed in OpenCTI, tracked as CVE-2025-24977. This flaw allows authenticated users with specific permissions to execute arbitrary code on the underlying infrastructure and access sensitive server-side secrets. The issue affects all versions prior to 6.4.11 and has been assigned a CVSS v3.1 score of 9.1, marking it as critical in severity.

What is OpenCTI?

OpenCTI (Open Cyber Threat Intelligence) is a widely adopted open-source platform for managing and sharing cyber threat intelligence. It allows organizations to structure, store, and visualize complex threat information. Because of its deep integration into security ecosystems, vulnerabilities in OpenCTI can have far-reaching consequences.

Technical Details

The vulnerability stems from the improper control of code generation within the application (classified as CWE-94: Code Injection). Specifically, a user with the manage customizations capability can:

  • Execute commands on the host infrastructure using the web hook functionality.
  • Gain a root shell inside a container hosting OpenCTI.
  • Access internal secrets and sensitive environment details.

This behavior is particularly dangerous because it breaks container isolation and could lead to lateral movement across other infrastructure components.

CVSS Breakdown

  • Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
  • Confidentiality, Integrity, Availability: High

Affected Versions

All OpenCTI versions prior to 6.4.11 are affected by this vulnerability.

Mitigation

The vulnerability has been patched in OpenCTI version 6.4.11. All users are strongly advised to:

  • Upgrade to version 6.4.11 or later immediately.
  • Audit user roles and permissions, especially the manage customizations capability.
  • Monitor systems for unauthorized command execution or suspicious container activity.

Conclusion

CVE-2025-24977 exemplifies the risk of insufficient controls around customization and hook-based functionality in security platforms. Organizations using OpenCTI should treat this vulnerability with urgency due to the high potential impact on infrastructure integrity and data confidentiality.

For more technical details and updates, refer to the official GitHub advisory.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *


More posts