CVE-2025-25274
Published: 21 March 2025
Summary
CVE-2025-25274 is a medium-severity Incorrect Authorization (CWE-863) vulnerability in Mattermost Mattermost Server. Its CVSS base score is 4.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations for logical access, directly preventing authenticated users from executing commands in restricted archived channels.
Requires timely identification, reporting, and correction of software flaws like this authorization bypass via patching as detailed in Mattermost advisories.
Employs least privilege to restrict command execution capabilities to only necessary functions, mitigating unauthorized actions in archived channels.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables unauthorized command execution via command injection (CWE-77) and incorrect authorization (CWE-863) in a network-accessible collaboration platform, directly facilitating T1059 for command execution and T1190 for exploiting the public/internet-facing application.
NVD Description
Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8 fail to restrict command execution in archived channels, which allows authenticated users to run commands in archived channels.
Deeper analysisAI
CVE-2025-25274, published on 2025-03-21, affects Mattermost versions 10.4.x up to and including 10.4.2, 10.3.x up to 10.3.3, and 9.11.x up to 9.11.8. The vulnerability stems from a failure to restrict command execution in archived channels, mapped to CWE-863 (Incorrect Authorization) and CWE-77 (Command Injection). It carries a CVSS v3.1 base score of 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), indicating moderate severity with network accessibility, low attack complexity, and low privileges required.
Authenticated users can exploit this issue remotely without user interaction, bypassing restrictions intended for archived channels. Exploitation enables running unauthorized commands in those channels, leading to low-impact integrity violations such as unintended modifications or executions not permitted in an archived state.
Mattermost advisories provide further details on patches and mitigations at https://mattermost.com/security-updates.
Details
- CWE(s)