CVE-2025-24894
Published: 18 February 2025
Summary
CVE-2025-24894 is a critical-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-8 (Identification and Authentication (Non-organizational Users)) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SAML signature validation flaw by requiring identification, reporting, prioritization, and timely patching of the vulnerable SPID.AspNetCore.Authentication library to version 3.4.0.
Requires cryptographic signature verification mechanisms on incoming SAML responses to detect unauthorized modifications, such as signature wrapping attacks injecting legitimate elements.
Mandates robust authentication mechanisms and procedures for non-organizational SPID/CIE users, ensuring proper SAML assertion validation to prevent impersonation via malformed responses.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing SAML authenticator enables remote exploitation (T1190) and facilitates forging of SAML tokens/assertions via signature wrapping to bypass auth (T1606.002).
NVD Description
SPID.AspNetCore.Authentication is an AspNetCore Remote Authenticator for SPID. Authentication using Spid and CIE is based on the SAML2 standard which provides two entities: Identity Provider (IDP): the system that authenticates users and provides identity information (SAML affirmation) to the Service…
more
Provider, in essence, is responsible for the management of the credentials and identity of users; Service Provider (SP): the system that provides a service to the user and relies on the Identity Provider to authenticate the user, receives SAML assertions from the IdP to grant access to resources. The validation logic of the signature is central as it ensures that you cannot create a SAML response with arbitrary assertions and then impersonate other users. There is no guarantee that the first signature refers to the root object, it follows that if an attacker injects an item signed as the first element, all other signatures will not be verified. The only requirement is to have an XML element legitimately signed by the IdP, a condition that is easily met using the IdP's public metadata. An attacker could create an arbitrary SAML response that would be accepted by SPs using vulnerable SDKs, allowing him to impersonate any Spid and/or CIE user. This vulnerability has been addressed in version 3.4.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability.
Deeper analysisAI
CVE-2025-24894 is a critical vulnerability in SPID.AspNetCore.Authentication, an ASP.NET Core remote authenticator for SPID that implements SAML2-based authentication between Identity Providers (IdPs) and Service Providers (SPs). The flaw lies in the SAML signature validation logic, which assumes the first signature in a response refers to the root object without verifying this. This enables a signature wrapping attack where an attacker injects a legitimately signed XML element—sourced from the IdP's public metadata—as the first element, causing subsequent signatures to be ignored and allowing arbitrary SAML assertions to be accepted.
Any unauthenticated remote attacker can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS 3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and association with CWE-287 (Improper Authentication). By crafting a malicious SAML response, the attacker can impersonate any SPID or CIE user, gaining unauthorized access to SP resources protected by the vulnerable authenticator.
The GitHub security advisory for the SPID.AspNetCore project recommends upgrading to version 3.4.0, where the issue has been addressed. No workarounds are available.
Details
- CWE(s)