CVE-2025-27507
Published: 04 March 2025
Description
Adversaries may modify the configuration settings of a domain or identity tenant to evade defenses and/or escalate privileges in centrally managed environments.
Security Summary
CVE-2025-27507 is an Insecure Direct Object Reference (IDOR) vulnerability, mapped to CWE-639, in the Admin API of Zitadel, an open-source identity infrastructure software. The flaw affects multiple endpoints, enabling authenticated users without specific IAM roles to modify sensitive settings. The most critical impact involves manipulation of LDAP configurations, though customers not using LDAP for authentication face reduced risk from this aspect. Published on 2025-03-04, it has a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L).
Any authenticated user lacking required IAM roles can exploit this IDOR vulnerability remotely with low attack complexity. Exploitation grants the ability to alter sensitive configurations, including LDAP settings, potentially disrupting authentication processes, enabling unauthorized changes to identity management, and compromising confidentiality, integrity, and limited availability across scoped components.
Zitadel has patched the vulnerability in releases 2.71.0, 2.70.1, 2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8. Upgrading to a patched version is strongly recommended to remediate all affected endpoints. Additional details appear in the GitHub security advisory at https://github.com/zitadel/zitadel/security/advisories/GHSA-f3gh-529w-v32x and the fixing commit at https://github.com/zitadel/zitadel/commit/d9d8339813f1c43d3eb7d8d80f11fdabb2fd2ee4.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
IDOR in Admin API enables unauthorized modification of LDAP/identity configs, directly facilitating account manipulation (T1098), modification of authentication processes (T1556), and domain/tenant policy changes (T1484).