CVE-2025-24365
Published: 27 January 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24365 is a privilege escalation vulnerability in vaultwarden, an unofficial Bitwarden-compatible server implementation written in Rust and formerly known as bitwarden_rs. The flaw allows an attacker to obtain owner rights over another user's organization. It has a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-284 (Improper Access Control).
An attacker with low-privileged access, such as membership in the target organization without elevated rights, can exploit this vulnerability if they know the victim organization's ID. The attacker must also be an owner or admin of another organization, which is straightforward to achieve by creating one by default. Successful exploitation grants the attacker full owner privileges on the victim organization, enabling high-impact confidentiality and integrity violations without requiring user interaction.
The vulnerability is fixed in vaultwarden version 1.33.0. Security practitioners should upgrade to this version or later, as detailed in the official release notes at https://github.com/dani-garcia/vaultwarden/releases/tag/1.33.0 and the GitHub security advisory at https://github.com/dani-garcia/vaultwarden/security/advisories/GHSA-j4h8-vch3-f797.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The CVE describes a privilege escalation vulnerability via improper access control (CWE-284) that allows an authenticated low-privileged user to gain owner rights in a target organization, directly enabling the Exploitation for Privilege Escalation technique.