CVE-2025-27507
Published: 04 March 2025
Summary
CVE-2025-27507 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Zitadel Zitadel. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations in the Admin API to prevent IDOR exploitation allowing unauthorized modifications to sensitive settings like LDAP configurations.
Authorizes access decisions for system resources such as LDAP configurations based on user roles, directly countering the IDOR bypass of IAM role checks.
Validates Admin API inputs including object references to ensure authenticated users cannot manipulate unauthorized sensitive settings via direct references.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR in Admin API enables unauthorized modification of LDAP/identity configs, directly facilitating account manipulation (T1098), modification of authentication processes (T1556), and domain/tenant policy changes (T1484).
NVD Description
The open-source identity infrastructure software Zitadel allows administrators to disable the user self-registration. ZITADEL's Admin API contains Insecure Direct Object Reference (IDOR) vulnerabilities that allow authenticated users, without specific IAM roles, to modify sensitive settings. While several endpoints are affected,…
more
the most critical vulnerability lies in the ability to manipulate LDAP configurations. Customers who do not utilize LDAP for authentication are not at risk from the most severe aspects of this vulnerability. However, upgrading to the patched version to address all identified issues is strongly recommended. This vulnerability is fixed in 2.71.0, 2.70.1, ,2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8.
Deeper analysisAI
CVE-2025-27507 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, in the Admin API of Zitadel, an open-source identity infrastructure software. The flaw affects multiple endpoints, enabling authenticated users without specific IAM roles to modify sensitive settings. The most critical impact involves manipulation of LDAP configurations, though customers not using LDAP for authentication face reduced risk from this aspect. Published on 2025-03-04, it has a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).
Any authenticated user lacking required IAM roles can exploit this IDOR vulnerability remotely with low attack complexity. Exploitation grants the ability to alter sensitive configurations, including LDAP settings, potentially disrupting authentication processes, enabling unauthorized changes to identity management, and compromising confidentiality, integrity, and limited availability across scoped components.
Zitadel has patched the vulnerability in releases 2.71.0, 2.70.1, 2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8. Upgrading to a patched version is strongly recommended to remediate all affected endpoints. Additional details appear in the GitHub security advisory at https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x and the fixing commit at https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4.
Details
- CWE(s)