CVE-2025-24365
Published: 27 January 2025
Summary
CVE-2025-24365 is a high-severity Improper Access Control (CWE-284) vulnerability in Dani-Garcia Vaultwarden. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 30.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for access to system resources, directly addressing the improper access control enabling privilege escalation to organization owner rights.
Employs least privilege principle to restrict access to organization owner functions, mitigating the impact of the access control flaw.
Requires timely identification, reporting, and correction of system flaws like CVE-2025-24365 through patching to version 1.33.0 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a privilege escalation vulnerability via improper access control (CWE-284) that allows an authenticated low-privileged user to gain owner rights in a target organization, directly enabling the Exploitation for Privilege Escalation technique.
NVD Description
vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker can obtain owner rights of other organization. Hacker should know the ID of victim organization (in real case the user can be a part of…
more
the organization as an unprivileged user) and be the owner/admin of other organization (by default you can create your own organization) in order to attack. This vulnerability is fixed in 1.33.0.
Deeper analysisAI
CVE-2025-24365 is a privilege escalation vulnerability in vaultwarden, an unofficial Bitwarden-compatible server implementation written in Rust and formerly known as bitwarden_rs. The flaw allows an attacker to obtain owner rights over another user's organization. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-284 (Improper Access Control).
An attacker with low-privileged access, such as membership in the target organization without elevated rights, can exploit this vulnerability if they know the victim organization's ID. The attacker must also be an owner or admin of another organization, which is straightforward to achieve by creating one by default. Successful exploitation grants the attacker full owner privileges on the victim organization, enabling high-impact confidentiality and integrity violations without requiring user interaction.
The vulnerability is fixed in vaultwarden version 1.33.0. Security practitioners should upgrade to this version or later, as detailed in the official release notes at https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0 and the GitHub security advisory at https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797.
Details
- CWE(s)