CVE-2025-24490

Critical

Published: 24 February 2025

Published

24 February 2025

Modified

01 October 2025

KEV Added

—

Patch

—

CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

EPSS Score 0.0048 65.0th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24490 is a critical-severity SQL Injection (CWE-89) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation of user inputs in the boards reordering SQL query to neutralize malicious payloads.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific SQL injection flaw through identification, reporting, and patching of affected Mattermost versions.

RA-5 Vulnerability Monitoring and Scanning partial match

detectrespond

Supports detection of SQL injection vulnerabilities via scanning and drives remediation to address exploitation risks in Mattermost.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

T1565.001 Stored Data Manipulation Impact

Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.

attack.mitre.org →

Why these techniques?

SQL injection in web app enables remote exploitation of public-facing application (T1190), privilege escalation via scope change to higher-priv components (T1068), data retrieval from databases (T1213.006), and stored data manipulation (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection…

when reordering specially crafted boards categories.

Deeper analysisAI

CVE-2025-24490 is a SQL injection vulnerability in Mattermost, affecting versions 10.4.x up to and including 10.4.1, 9.11.x up to and including 9.11.7, 10.3.x up to and including 10.3.2, and 10.2.x up to and including 10.2.2. The flaw stems from the failure to use prepared statements in the SQL query handling boards reordering, enabling attackers to inject malicious SQL payloads when reordering specially crafted boards categories. It has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and is associated with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By reordering specially crafted boards categories, the attacker can execute arbitrary SQL queries to retrieve sensitive data from the database (high confidentiality impact) and modify data (high integrity impact), with the attack changing scope to potentially affect higher-privilege components.

For mitigation details, refer to the Mattermost security updates advisory at https://mattermost.com/security-updates.

Details

CWE(s): CWE-89

Affected Products

mattermost

mattermost server

9.11.0 — 9.11.8 · 10.2.0 — 10.2.3 · 10.3.0 — 10.3.3

CVEs Like This One

CVE-2025-14273Same product: Mattermost Mattermost Server

CVE-2025-25274Same product: Mattermost Mattermost Server

CVE-2025-12421Same product: Mattermost Mattermost Server

CVE-2025-12419Same product: Mattermost Mattermost Server

CVE-2025-25279Same product: Mattermost Mattermost Server

CVE-2025-25068Same product: Mattermost Mattermost Server

CVE-2025-20621Same product: Mattermost Mattermost Server

CVE-2026-3108Same product: Mattermost Mattermost Server

CVE-2025-1412Same product: Mattermost Mattermost Server

CVE-2026-24458Same product: Mattermost Mattermost Server

References

https://mattermost.com/security-updates
Vendor Advisory · responsibledisclosure@mattermost.com