CVE-2025-27501
Published: 03 March 2025
Summary
CVE-2025-27501 is a high-severity SSRF (CWE-918) vulnerability in Openziti Openziti. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits permitting unauthenticated access to the admin panel endpoint that accepts user-supplied URLs, directly addressing the lack of authentication enabling SSRF.
Requires validation of the user-supplied URL parameter to block SSRF by ensuring only authorized destinations are used in server-side requests.
Enforces flow control policies to restrict server-side requests to unauthorized internal or external resources, preventing SSRF exploitation using the node's identity.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated SSRF in public-facing admin endpoint enables exploitation of public-facing application (T1190), abuse of Cloud Instance Metadata API for discovery (T1522), and unsecured credential access from cloud metadata (T1552.005).
NVD Description
OpenZiti is a free and open source project focused on bringing zero trust to any application. An endpoint on the admin panel can be accessed without any form of authentication. This endpoint accepts a user-supplied URL parameter to connect to…
more
an OpenZiti Controller and performs a server-side request, resulting in a potential Server-Side Request Forgery (SSRF) vulnerability. The fixed version has moved the request to the external controller from the server side to the client side, thereby eliminating the identity of the node from being used to gain any additional permissions. This vulnerability is fixed in 3.7.1.
Deeper analysisAI
CVE-2025-27501 is a Server-Side Request Forgery (SSRF) vulnerability, classified under CWE-918, affecting the ziti-console component of OpenZiti, an open-source zero trust networking project. An unauthenticated endpoint in the admin panel accepts a user-supplied URL parameter to connect to an OpenZiti Controller and performs a server-side request using the identity of the node. This exposes the application to SSRF risks, with a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N), indicating high severity due to network accessibility, no authentication required, and significant confidentiality impact across a changed scope.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted requests to the admin panel endpoint, tricking the server into making unauthorized requests to internal or external resources on behalf of the node's identity. Successful exploitation allows attackers to leverage the node's permissions on the OpenZiti Controller to access sensitive data or resources they would not otherwise reach, potentially bypassing zero trust controls.
The GitHub Security Advisory (GHSA-fqxh-vfv5-8qjp) details the fix in OpenZiti version 3.7.1, which relocates the controller connection request from server-side to client-side execution. This change prevents the server's node identity from being used to obtain elevated permissions, effectively mitigating the SSRF risk. Security practitioners should upgrade to 3.7.1 or later and review access to admin panel endpoints.
Details
- CWE(s)