Cyber Resilience

CVE-2025-24364

HighPublic PoC

Published: 27 January 2025

Published
27 January 2025
Modified
20 August 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0099 77.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24364 is a high-severity Injection (CWE-74) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 22.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).

Deeper analysis

Vaultwarden, an unofficial Bitwarden-compatible password server written in Rust, contains a command-injection vulnerability tracked as CVE-2025-24364. An authenticated administrator with access to the admin panel can alter mail-transport settings to invoke sendmail with attacker-controlled arguments and then supply a specially crafted favicon image containing embedded shell commands that execute when the server performs actions such as sending a test message. The flaw is classified under CWE-74 and carries a CVSS 3.1 score of 7.2.

An attacker who already possesses valid administrative credentials can therefore achieve arbitrary code execution on the underlying host. The attack requires no user interaction beyond the initial authenticated session and can result in full confidentiality, integrity, and availability impact on the system.

The issue is resolved in Vaultwarden 1.33.0, as stated in the project’s GitHub release notes and the accompanying security advisory GHSA-h6cc-rc6q-23j4. Administrators are advised to upgrade promptly and to restrict administrative-panel access to trusted networks or identities.

EPSS for the CVE rose from lower values to a recorded peak of 0.0216 on 2025-12-11 before receding to the current 0.0099, indicating a measurable but temporary increase in exploitation interest after public disclosure.

EU & UK References

Vulnerability details

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail…

more

as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. This vulnerability is fixed in 1.33.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The vulnerability provides authenticated RCE in a public-facing web admin panel via command injection into mail settings and image processing, directly enabling T1190 for exploiting the exposed application and T1059.004 for Unix shell command execution leading to full system compromise.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-55224Same product: Dani-Garcia Vaultwarden
CVE-2024-55225Same product: Dani-Garcia Vaultwarden
CVE-2026-27803Same product: Dani-Garcia Vaultwarden
CVE-2026-43912Same product: Dani-Garcia Vaultwarden
CVE-2025-24365Same product: Dani-Garcia Vaultwarden
CVE-2026-27802Same product: Dani-Garcia Vaultwarden
CVE-2026-43914Same product: Dani-Garcia Vaultwarden
CVE-2026-43913Same product: Dani-Garcia Vaultwarden
CVE-2024-39784Shared CWE-74
CVE-2024-39785Shared CWE-74

Affected Assets

dani-garcia
vaultwarden
≤ 1.33.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of inputs to mail agent settings and favicon images in the admin panel to prevent command injection and arbitrary code execution.

prevent

Mandates timely flaw remediation by applying patches like vaultwarden 1.33.0 to eliminate the specific vulnerability enabling authenticated admin exploitation.

prevent

Enforces secure configuration settings for mail agents and related admin panel features, preventing improper configurations that allow shell command injection.

References