Plattform
other
Komponente
ziti-console
Behoben in
3.7.2
CVE-2025-27501 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Ziti Console. This flaw allows an attacker to manipulate the console into making requests to arbitrary internal or external resources. The vulnerability impacts Ziti Console versions 3.7.1 and earlier, and a fix is available in version 3.7.1.
The SSRF vulnerability in Ziti Console allows an attacker to craft a malicious URL parameter that triggers the console to make requests to unintended destinations. This can lead to unauthorized access to internal services, data exfiltration, and potentially even remote code execution if the targeted internal service is vulnerable. An attacker could leverage this to scan internal networks, access sensitive configuration files, or interact with other internal applications without proper authentication. The potential blast radius extends to any internal resource accessible via HTTP or HTTPS from the Ziti Console server.
CVE-2025-27501 was publicly disclosed on 2025-03-03. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is currently assessed as medium, given the ease of exploitation once a vulnerable instance is identified.
Organizations utilizing Ziti Console for zero-trust network access, particularly those with internal services accessible via HTTP or HTTPS, are at risk. Shared hosting environments where multiple users share a Ziti Console instance are also particularly vulnerable, as an attacker could potentially exploit the vulnerability to access resources belonging to other users.
• generic web: Use curl to check for the vulnerable endpoint and test for SSRF behavior by providing a URL pointing to an internal resource.
curl 'https://<ziti-console-ip>/admin/endpoint?url=http://internal-service/'• linux / server: Monitor access logs for requests to the /admin/endpoint endpoint with unusual or internal URLs. Use grep to search for patterns indicative of SSRF attempts.
grep 'http://internal-' /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.10% (28% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-27501 is to upgrade Ziti Console to version 3.7.1 or later. This version moves the request handling from the server-side to the client-side, effectively eliminating the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing suspicious URL parameters. Thoroughly review and restrict network access to the Ziti Console server to limit the potential impact of a successful SSRF attack. After upgrade, confirm the fix by attempting to trigger the vulnerable endpoint with a crafted URL and verifying that the request is properly handled by the client.
Aktualisieren Sie Ziti Console auf Version 3.7.1 oder höher. Diese Version behebt die SSRF-Schwachstelle, indem die Anfrage vom Server- zum externen Client-seitigen Controller verschoben wird. Dadurch wird verhindert, dass die Identität des Knotens verwendet wird, um zusätzliche Berechtigungen zu erlangen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-27501 is a Server-Side Request Forgery (SSRF) vulnerability affecting Ziti Console versions 3.7.1 and earlier, allowing attackers to forge requests to internal resources.
You are affected if you are running Ziti Console version 3.7.1 or earlier. Upgrade to 3.7.1 to mitigate the vulnerability.
Upgrade Ziti Console to version 3.7.1 or later. Consider implementing a WAF as a temporary workaround if upgrading is not immediately possible.
There is no confirmed active exploitation of CVE-2025-27501 at this time, but the vulnerability is considered potentially exploitable.
Refer to the official OpenZiti security advisory for details: [https://www.openziti.io/security/advisories](https://www.openziti.io/security/advisories)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.