CVE-2025-24364
Published: 27 January 2025
Summary
CVE-2025-24364 is a high-severity Injection (CWE-74) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation and sanitization of inputs to mail agent settings and favicon images in the admin panel to prevent command injection and arbitrary code execution.
Mandates timely flaw remediation by applying patches like vaultwarden 1.33.0 to eliminate the specific vulnerability enabling authenticated admin exploitation.
Enforces secure configuration settings for mail agents and related admin panel features, preventing improper configurations that allow shell command injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability provides authenticated RCE in a public-facing web admin panel via command injection into mail settings and image processing, directly enabling T1190 for exploiting the exposed application and T1059.004 for Unix shell command execution leading to full system compromise.
NVD Description
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail…
more
as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. This vulnerability is fixed in 1.33.0.
Deeper analysisAI
CVE-2025-24364 is an arbitrary code execution vulnerability affecting vaultwarden, an unofficial Bitwarden-compatible server written in Rust and formerly known as bitwarden_rs. The flaw exists in the vaultwarden admin panel, where an authenticated attacker can leverage improper handling of mail agent settings and favicon images to execute arbitrary system commands. It is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command, though contextually related to command injection) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high confidentiality, integrity, and availability impact.
An attacker requires authenticated access to the vaultwarden admin panel to exploit this vulnerability. The attack scenario involves modifying admin settings to configure sendmail as the mail agent while injecting a shell command, then crafting a malicious favicon image with embedded commands. Triggering the exploit, such as by sending a test email, causes the system to process the tampered favicon and execute the arbitrary code, potentially granting full system compromise.
The vulnerability was addressed in vaultwarden version 1.33.0. Security practitioners should update to this version or later. Additional details are available in the GitHub security advisory at https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-h6cc-rc6q-23j4 and the release notes at https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0.
Details
- CWE(s)