Cyber Resilience

CVE-2025-24490

Critical

Published: 24 February 2025

Published
24 February 2025
Modified
01 October 2025
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0048 65.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24490 is a critical-severity SQL Injection (CWE-89) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 34.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-24490 is a SQL injection vulnerability in Mattermost, affecting versions 10.4.x up to and including 10.4.1, 9.11.x up to and including 9.11.7, 10.3.x up to and including 10.3.2, and 10.2.x up to and including 10.2.2. The flaw stems from the failure to use prepared statements in the SQL query handling boards reordering, enabling attackers to inject malicious SQL payloads when reordering specially crafted boards categories. It has a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and is associated with CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By reordering specially crafted boards categories, the attacker can execute arbitrary SQL queries to retrieve sensitive data from the database (high confidentiality impact) and modify data (high integrity impact), with the attack changing scope to potentially affect higher-privilege components.

For mitigation details, refer to the Mattermost security updates advisory at https://mattermost.com/security-updates.

EU & UK References

Vulnerability details

Mattermost versions 10.4.x <= 10.4.1, 9.11.x <= 9.11.7, 10.3.x <= 10.3.2, 10.2.x <= 10.2.2 fail to use prepared statements in the SQL query of boards reordering which allows an attacker to retrieve data from the database, via a SQL injection…

more

when reordering specially crafted boards categories.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

SQL injection in web app enables remote exploitation of public-facing application (T1190), privilege escalation via scope change to higher-priv components (T1068), data retrieval from databases (T1213.006), and stored data manipulation (T1565.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4858Same product: Mattermost Mattermost Server
CVE-2025-14273Same product: Mattermost Mattermost Server
CVE-2025-25274Same product: Mattermost Mattermost Server
CVE-2025-12419Same product: Mattermost Mattermost Server
CVE-2025-20621Same product: Mattermost Mattermost Server
CVE-2025-12421Same product: Mattermost Mattermost Server
CVE-2025-25068Same product: Mattermost Mattermost Server
CVE-2025-25279Same product: Mattermost Mattermost Server
CVE-2025-20051Same product: Mattermost Mattermost Server
CVE-2026-3108Same product: Mattermost Mattermost Server

Affected Assets

mattermost
mattermost server
9.11.0 — 9.11.8 · 10.2.0 — 10.2.3 · 10.3.0 — 10.3.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by requiring validation of user inputs in the boards reordering SQL query to neutralize malicious payloads.

prevent

Ensures timely remediation of the specific SQL injection flaw through identification, reporting, and patching of affected Mattermost versions.

detectrespond

Supports detection of SQL injection vulnerabilities via scanning and drives remediation to address exploitation risks in Mattermost.

References