Platform
python
Component
opencti
Fixed in
6.4.12
6.4.11
CVE-2025-24977 is a remote code execution (RCE) vulnerability affecting OpenCTI, an open cyber threat intelligence (CTI) platform. An attacker with the 'manage customizations' capability can execute arbitrary commands on the underlying infrastructure and access sensitive server-side secrets. This vulnerability impacts versions of OpenCTI prior to 6.4.11 and has been resolved in version 6.4.11.
The impact of CVE-2025-24977 is severe. A successful exploit allows an attacker to gain a root shell within the OpenCTI container, effectively granting them complete control over the underlying infrastructure. This includes the ability to read and modify sensitive data, install malware, and potentially pivot to other systems within the network. The exposure of internal server-side secrets further amplifies the risk, potentially providing credentials or configuration details that can be leveraged for broader attacks. This vulnerability resembles scenarios where container escape vulnerabilities are exploited to compromise the host system.
CVE-2025-24977 was publicly disclosed on May 5, 2025. The vulnerability's criticality (CVSS 9.1) and the potential for significant impact suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation once gained access to the 'manage customizations' role makes it a likely target for exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.53% (67% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-24977 is to immediately upgrade OpenCTI to version 6.4.11 or later. If upgrading is not immediately feasible, restrict access to the 'manage customizations' capability to only trusted users. Consider implementing network segmentation to limit the potential blast radius of a successful exploit. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block suspicious command execution attempts. After upgrading, verify the fix by attempting to execute a command via the webhooks functionality with a user lacking elevated privileges; the command should be rejected.
Update OpenCTI to version 6.4.11 or higher. This version corrects the remote code execution vulnerability and exposure of sensitive secrets through webhooks. The update will prevent malicious users with customization management privileges from executing commands on the server and accessing confidential information.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-24977 is a critical remote code execution vulnerability in OpenCTI versions prior to 6.4.11, allowing attackers with 'manage customizations' to execute commands and access server secrets.
You are affected if you are running OpenCTI version 6.4.11 or earlier. Immediately check your version and upgrade if necessary.
Upgrade OpenCTI to version 6.4.11 or later. Restrict access to the 'manage customizations' role to trusted users only.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of future exploitation.
Refer to the official OpenCTI security advisory on their website or GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.