CVE-2025-25068
Published: 21 March 2025
Summary
CVE-2025-25068 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-11 (Re-authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 requires enforcement of approved authorizations for all logical access, directly addressing the failure to enforce MFA on plugin API endpoints.
IA-11 mandates re-authentication including MFA prior to accessing specific functions like plugin routes, preventing bypass after initial authentication.
IA-2 ensures organizational users are identified and authenticated with MFA policies, partially mitigating inconsistent enforcement across endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Mattermost app allows remote authenticated access to bypass MFA enforcement on plugin API endpoints (CWE-306), directly mapping to exploitation of public-facing application and MFA bypass technique.
NVD Description
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, 10.5.x <= 10.5.0 fail to enforce MFA on plugin endpoints, which allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes.
Deeper analysisAI
CVE-2025-25068 is a vulnerability in Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to and including 10.3.3, 9.11.x up to and including 9.11.8, and 10.5.x up to and including 10.5.0. It stems from a failure to enforce multi-factor authentication (MFA) on plugin endpoints, allowing authenticated attackers to bypass MFA protections through API requests to plugin-specific routes. The issue is mapped to CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
Attackers require low-privilege authenticated access (PR:L) and network connectivity (AV:N) to exploit this vulnerability, which demands high attack complexity (AC:H) but no user interaction (UI:N). Exploitation enables bypassing MFA restrictions, potentially leading to high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) by accessing protected plugin functionalities without additional authentication.
Mattermost has published details on this vulnerability in their security updates, available at https://mattermost.com/security-updates, which security practitioners should consult for patch information and mitigation guidance.
Details
- CWE(s)