CVE-2025-24977

Published May 5, 2025

Last updated 10 months ago

CVSS critical 9.1
OpenCTI

Overview

Description
OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal server side secrets by misusing the web-hooks. Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures. Version 6.4.11 fixes the issue.
Source
security-advisories@github.com
NVD status
Analyzed
Products
opencti

Risk scores

CVSS 3.1

Type
Primary
Base score
9.1
Impact score
6
Exploitability score
2.3
Vector string
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

security-advisories@github.com
CWE-94

Social media

Hype score
Not currently trending

  1. Vulnerabilidad crítica en OpenCTI (CVE-2025-24977) Se ha descubierto una vulnerabilidad crítica en la popular plataforma de inteligencia cibernética y tecnología de la información (CTI) OpenCTI, que permite a los atacantes tomar el control de la infraestructura abusando del

    @HackingTeam777

    23 May 2025

    2699 Impressions

    25 Retweets

    105 Likes

    31 Bookmarks

    1 Reply

    0 Quotes

  2. ⚡️The vulnerability details are now available: https://t.co/t2IYwwUA5a 🚨🚨CVE-2025-24977 (CVSS 9.1) exposes OpenCTI to devastating RCE attacks! Any user with "manage customizations" can hijack webhooks to run root-level commands, steal server secrets, and unleash chaos

    @zoomeye_team

    9 May 2025

    20 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. 🚨 CVE-2025-24977 (CVSS 9.1) hits OpenCTI! Critical Webhook flaw enables remote command execution, risking infrastructure takeover. Update to version 6.4.11 now! 🔒 https://t.co/N7jPLVRKgX #CyberSec #OpenCTI

    @_F2po_

    8 May 2025

    18 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. Warning: Critical Code Injection in #OpenCTI. #CVE-2025-24977 CVSS: 9.1. It can lead to arbitrary command execution and lateral movement. See advisory: https://t.co/ZMvyYmRICI #Patch #Patch #Patch

    @CCBalert

    7 May 2025

    265 Impressions

    1 Retweet

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  5. 🚨 CVE-2025-24977 ⚠️🔴 CRITICAL (9.1) 🏢 OpenCTI-Platform - opencti 🏗️ < 6.4.11 🔗 https://t.co/NRh6lukT3R #CyberCron #VulnAlert #InfoSec https://t.co/gz6r1Tcqv4

    @cybercronai

    7 May 2025

    6 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨Alert🚨 CVE-2025-24977: Critical RCE Flaw in OpenCTI Platform Exposes Infrastructure to Root-Level Attacks 📊3.2K+ Services are found on the https://t.co/ysWb28BTvF yearly. 🔗Hunter Link:https://t.co/5zGUeGnY3m 👇Query HUNTER : https://t.co/q9rtuGfZuz="OpenCTI" FOFA :

    @HunterMapping

    7 May 2025

    3800 Impressions

    20 Retweets

    48 Likes

    26 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-24977: Critical RCE Flaw in OpenCTI Platform Exposes Infrastructure to Root-Level Attacks https://t.co/lpSToj0aJR

    @the_yellow_fall

    7 May 2025

    1981 Impressions

    18 Retweets

    57 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  8. 良い子のみんな、GW 明けにアプデしてね~ > A critical vulnerability (CVE-2025-24977) with a CVSS score of 9.1 has been discovered in OpenCTI versions prior to 6.4.11 Secure OpenCTI by updating to version 6.4.11 now https://t.co/8Z5m9UDwMz

    @strinsert1Na

    6 May 2025

    1602 Impressions

    4 Retweets

    17 Likes

    4 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2025-24977 OpenCTI Web-Hook Vulnerability Allows Root Shell and Infrastructure Acce... https://t.co/WPfn1MoPRR Vulnerability Notification: https://t.co/xhLrNnfyrO

    @VulmonFeeds

    5 May 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. 🚨Critical Vulnerability in OpenCTI (CVE-2025-24977) Allows Infrastructure Takeover via Webhook Abuse https://t.co/fyGyDine1i

    @DarkWebInformer

    5 May 2025

    3388 Impressions

    3 Retweets

    14 Likes

    4 Bookmarks

    1 Reply

    0 Quotes

  11. [CVE-2025-24977: CRITICAL] OpenCTI, a cyber threat intelligence platform, had a security flaw allowing users to execute commands and access server secrets. Update to version 6.4.11 to fix this vulnerability.#cve,CVE-2025-24977,#cybersecurity https://t.co/SjSM6Xr18e https://t.co/n

    @CveFindCom

    5 May 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-24977 OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the … https://t.co/ouC8tv8U5H

    @CVEnew

    5 May 2025

    261 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.9.1, the GraphQL mutations "IndividualDeletionDeleteMutation" is intended to allow users to delete individual entity objects respectively. However, it was observed that this mutation can be misused to delete unrelated and sensitive objects such as analyses reports etc. This behavior stems from the lack of validation in the API to ensure that the targeted object is contextually related to the mutation being executed. Version 6.9.1 fixes the issue.CVE-2026-21886
  2. OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to 6.8.16, the OpenCTI platform’s data ingestion feature accepts user-supplied URLs without validation and uses the Axios HTTP client with its default configuration (allowAbsoluteUrls: true). This allows attackers to craft requests to arbitrary endpoints, including internal services, because Axios will accept and process absolute URLs. This results in a semi-blind SSRF, as responses may not be fully visible but can still impact internal systems. This vulnerability is fixed in 6.8.16.CVE-2026-21887
  3. OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim's browser. For example, a request to /graphql?'"--></style></scRipt><scRipt>alert('Raif_Berkay')</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.CVE-2020-37044
  4. OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., '../') in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10.CVE-2020-37041
  5. OpenCTI is an open source platform for managing cyber threat intelligence knowledge and observables. Prior to version 6.8.3, an open redirect vulnerability exists in the OpenCTI platform's SAML authentication endpoint (/auth/saml/callback). By manipulating the RelayState parameter, an attacker can force the server to issue a 302 redirect to any external URL, enabling phishing, credential theft, and arbitrary site redirection. This issue has been patched in version 6.8.3.CVE-2025-61782

References

Sources include official advisories and independent security research.