CVE-2025-24458

High

Published: 21 January 2025

Published

21 January 2025

Modified

30 January 2025

KEV Added

—

Patch

—

CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

EPSS Score 0.0001 0.5th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24458 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Jetbrains Youtrack. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Valid Accounts (T1078); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Valid Accounts (T1078). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the vulnerability by requiring timely patching of JetBrains YouTrack to version 2024.3.55417 or later, eliminating the account takeover flaw.

SI-10 Information Input Validation good match

prevent

Validates information inputs from spoofed emails in the Helpdesk integration to prevent processing of forged sender data leading to account takeover.

SI-8 Spam Protection partial match

prevent

Implements spam protection at email entry points to filter and block spoofed emails targeting the YouTrack Helpdesk integration.

MITRE ATT&CK Enterprise TechniquesAI

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables account takeover via spoofed email in the Helpdesk integration, which facilitates gaining and using valid accounts as described in T1078.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

In JetBrains YouTrack before 2024.3.55417 account takeover was possible via spoofed email and Helpdesk integration

Deeper analysisAI

CVE-2025-24458 affects JetBrains YouTrack in versions before 2024.3.55417, where account takeover is possible via spoofed email and Helpdesk integration. Published on 2025-01-21, the vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N) and maps to CWE-290.

The attack requires local access (AV:L) with low complexity (AC:L), no privileges (PR:N), and user interaction (UI:R). An unauthenticated attacker can spoof an email through the Helpdesk integration to achieve account takeover, resulting in high impacts to confidentiality and integrity but no availability disruption.

JetBrains has fixed the issue in YouTrack 2024.3.55417. For mitigation details, refer to the advisory at https://www.jetbrains.com/privacy-security/issues-fixed/.

Details

CWE(s): CWE-290

Affected Products

jetbrains

youtrack

≤ 2024.3.55417

CVEs Like This One

CVE-2026-28193Same product: Jetbrains Youtrack

CVE-2026-33392Same product: Jetbrains Youtrack

CVE-2025-62235Shared CWE-290

CVE-2025-24459Same vendor: Jetbrains

CVE-2025-26493Same vendor: Jetbrains

CVE-2026-22734Shared CWE-290

CVE-2026-41153Same vendor: Jetbrains

CVE-2025-23385Same vendor: Jetbrains

CVE-2025-24456Same vendor: Jetbrains

CVE-2026-25848Same vendor: Jetbrains

References

https://www.jetbrains.com/privacy-security/issues-fixed/
Vendor Advisory · cve@jetbrains.com