CVE-2025-27912
Published: 11 March 2025
Summary
CVE-2025-27912 is a high-severity CSRF (CWE-352) vulnerability in Datalust Seq. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SC-23 requires session authenticity mechanisms like anti-CSRF tokens, directly preventing impersonation via forged cross-site requests in this CSRF vulnerability.
SI-10 mandates validation of information inputs such as Content-Type headers, directly addressing the missing validation that enables CSRF exploitation in Seq.
SI-2 ensures timely identification, testing, and installation of software patches, comprehensively mitigating this flaw by upgrading to Seq 2024.3.13545 or later.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CSRF vulnerability in public-facing Seq server enables exploitation of the application by tricking authenticated users into visiting malicious sites to perform unauthorized actions.
NVD Description
An issue was discovered in Datalust Seq before 2024.3.13545. Missing Content-Type validation can lead to CSRF when (1) Entra ID or OpenID Connect authentication is in use and a user visits a compromised/malicious site, or (2) when username/password or Active…
more
Directory authentication is in use and a user visits a compromised/malicious site under the same effective top-level domain as the Seq server. Exploitation of the vulnerability allows the attacker to conduct impersonation attacks and perform actions in Seq on behalf of the targeted user.
Deeper analysisAI
CVE-2025-27912 is a cross-site request forgery (CSRF) vulnerability in Datalust Seq versions prior to 2024.3.13545, stemming from missing Content-Type validation. This flaw affects the Seq logging and monitoring server, which supports various authentication methods including Entra ID, OpenID Connect, username/password, and Active Directory. Assigned CWE-352, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.
The vulnerability can be exploited by an attacker who tricks an authenticated user into visiting a malicious or compromised website. Exploitation is possible in two scenarios: first, when Entra ID or OpenID Connect authentication is enabled, regardless of domain; second, when username/password or Active Directory authentication is used and the malicious site shares the same effective top-level domain (eTLD) as the Seq server. Successful attacks enable impersonation, allowing the attacker to perform arbitrary actions in Seq on behalf of the victim user, such as modifying logs or configurations.
Mitigation requires upgrading to Datalust Seq version 2024.3.13545 or later, as indicated by the vulnerability's versioning in the disclosure. Additional details are available in the vendor's Seq documentation at https://datalust.co/seq and the GitHub issue tracker at https://github.com/datalust/seq-tickets/issues/2366.
Details
- CWE(s)