CVE-2025-1412
Published: 24 February 2025
Summary
CVE-2025-1412 is a low-severity Session Fixation (CWE-384) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 3.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Local Accounts (T1078.003); ranked at the 37.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-12 (Session Termination) and AC-2 (Account Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-12 requires automatic termination of user sessions upon organization-defined trigger events such as user-to-bot account conversion, directly preventing retention of active sessions that enable privilege escalation.
AC-2 mandates comprehensive account management procedures, including disabling or modifying accounts like user-to-bot conversions with associated session invalidation to revoke unauthorized access.
SI-2 ensures identification, reporting, and timely patching of software flaws such as the session invalidation failure in Mattermost, eliminating the vulnerability at its source.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Session fixation on account conversion to bot allows continued use of valid local sessions with potentially escalated permissions.
NVD Description
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
Deeper analysisAI
CVE-2025-1412 is a session management vulnerability affecting Mattermost versions 9.11.x up to and including 9.11.6 and 10.4.x up to and including 10.4.1. The flaw arises because the software fails to invalidate all active sessions when a user account is converted to a bot account. This issue, classified under CWE-384 (Session Fixation), has a CVSS v3.1 base score of 3.1 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) and was published on 2025-02-24.
A low-privileged user (PR:L) with network access (AV:N) can exploit this vulnerability if their account is converted to a bot, as their existing sessions remain valid despite the change. This allows the converted user to retain access with their original permissions while potentially gaining escalated privileges based on the permissions assigned to the new bot account. Exploitation requires high attack complexity (AC:H) and results in low confidentiality impact with no integrity or availability effects.
For mitigation details, refer to the official advisory at https://mattermost.com/security-updates, which provides guidance on patches and remediation steps for affected versions.
Details
- CWE(s)