{"vulnerability": "CVE-2025-24977", "sightings": [{"uuid": "2b38d546-5be8-4597-b9d6-1b440d62ca99", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "seen", "source": "https://infosec.exchange/users/cR0w/statuses/114456436384488510", "content": "", "creation_timestamp": "2025-05-05T17:37:00.221147Z"}, {"uuid": "9ca4b489-0e71-443d-b24f-1c8f07012b2d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2025-24977", "type": "seen", "source": "https://infosec.exchange/users/DarkWebInformer/statuses/114456475112556261", "content": "", "creation_timestamp": "2025-05-05T17:46:51.068558Z"}, {"uuid": "82fadcbf-081d-4706-a7b8-342cb6168a00", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "seen", "source": "https://bsky.app/profile/darkwebinformer.com/post/3logwewqy722c", "content": "", "creation_timestamp": "2025-05-05T17:46:58.992976Z"}, {"uuid": "abab47fc-e87b-4b32-b01c-80918666c0c6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "seen", "source": "https://bsky.app/profile/redteamnews.bsky.social/post/3loh2zecnb42k", "content": "", "creation_timestamp": "2025-05-05T19:09:53.925833Z"}, {"uuid": "1db391ba-c725-494f-b506-d7c43f25774a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "seen", "source": "https://bsky.app/profile/dinosn.bsky.social/post/3lokeckgjek2n", "content": "", "creation_timestamp": "2025-05-07T02:34:09.745646Z"}, {"uuid": "a03c980e-0d0f-4a69-94d8-e263bec809d8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "seen", "source": "https://bsky.app/profile/infosec.skyfleet.blue/post/3lolfpbtnop2o", "content": "", "creation_timestamp": "2025-05-07T12:31:46.609775Z"}, {"uuid": "f0b96830-6cf9-4c23-afc5-bbaefe403b64", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/14937", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-24977\n\ud83d\udd25 CVSS Score: 9.1 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)\n\ud83d\udd39 Description: OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal server side secrets by misusing the web-hooks. Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures. Version 6.4.11 fixes the issue.\n\ud83d\udccf Published: 2025-05-05T17:07:35.812Z\n\ud83d\udccf Modified: 2025-05-05T17:07:35.812Z\n\ud83d\udd17 References:\n1. https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-mf88-g2wq-p7qm", "creation_timestamp": "2025-05-05T17:20:26.000000Z"}, {"uuid": "b7867a86-67d5-4520-aa1c-ca578240f628", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "seen", "source": "https://t.me/DarkWebInformer_News/4170", "content": "\ud83d\udea8 News Alert!\n\nSource: Dark Web Informer - Cyber Threat Intelligence\nTitle: Critical Vulnerability in OpenCTI (CVE-2025-24977) Allows Infrastructure Takeover via Webhook Abuse\nLink: https://darkwebinformer.com/critical-vulnerability-in-opencti-cve-2025-24977-allows-infrastructure-takeover-via-webhook-abuse/", "creation_timestamp": "2025-05-05T17:46:48.000000Z"}, {"uuid": "96f59843-cb43-4651-9723-2c5eb5ebb3ab", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "seen", "source": "https://t.me/poxek/5122", "content": "\ud83d\udea8 \u041a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u0432 OpenCTI (CVE-2025-24977) \n\n\u0412 \u043f\u043e\u043f\u0443\u043b\u044f\u0440\u043d\u043e\u0439 \u043f\u043b\u0430\u0442\u0444\u043e\u0440\u043c\u0435 \u0434\u043b\u044f \u043a\u0438\u0431\u0435\u0440\u0440\u0430\u0437\u0432\u0435\u0434\u043a\u0438 \u0438 \u043e\u0431\u043c\u0435\u043d\u0430 \u0438\u043d\u0434\u0438\u043a\u0430\u0442\u043e\u0440\u0430\u043c\u0438 (CTI) OpenCTI - \u043e\u0431\u043d\u0430\u0440\u0443\u0436\u0435\u043d\u0430 \u043a\u0440\u0438\u0442\u0438\u0447\u0435\u0441\u043a\u0430\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c, \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u044e\u0449\u0430\u044f \u0430\u0442\u0430\u043a\u0443\u044e\u0449\u0438\u043c \u0437\u0430\u0445\u0432\u0430\u0442\u0438\u0442\u044c \u0438\u043d\u0444\u0440\u0430\u0441\u0442\u0440\u0443\u043a\u0442\u0443\u0440\u0443 \u0447\u0435\u0440\u0435\u0437 \u0437\u043b\u043e\u0443\u043f\u043e\u0442\u0440\u0435\u0431\u043b\u0435\u043d\u0438\u0435 \u043c\u0435\u0445\u0430\u043d\u0438\u0437\u043c\u043e\u043c webhook.\n\n\ud83d\udd0d \u0421\u0443\u0442\u044c \u043f\u0440\u043e\u0431\u043b\u0435\u043c\u044b:\n\u0417\u043b\u043e\u0443\u043c\u044b\u0448\u043b\u0435\u043d\u043d\u0438\u043a \u043c\u043e\u0436\u0435\u0442 \u043e\u0442\u043f\u0440\u0430\u0432\u0438\u0442\u044c \u0441\u043f\u0435\u0446\u0438\u0430\u043b\u044c\u043d\u043e \u0441\u0444\u043e\u0440\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u043d\u044b\u0435 \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 webhook-\u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441 OpenCTI, \u0447\u0442\u043e \u043f\u0440\u0438\u0432\u0435\u0434\u0435\u0442 \u043a \u0443\u0434\u0430\u043b\u0451\u043d\u043d\u043e\u043c\u0443 \u0432\u044b\u043f\u043e\u043b\u043d\u0435\u043d\u0438\u044e \u043a\u043e\u043c\u0430\u043d\u0434 (RCE) \u0438 \u043f\u043e\u043b\u043d\u043e\u043c\u0443 \u043a\u043e\u043c\u043f\u0440\u043e\u043c\u0435\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044e \u0441\u0438\u0441\u0442\u0435\u043c\u044b. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0432\u043e\u0437\u043c\u043e\u0436\u043d\u0430 \u0431\u0435\u0437 \u043f\u0440\u0435\u0434\u0432\u0430\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0439 \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438, \u0435\u0441\u043b\u0438 webhook \u043e\u0442\u043a\u0440\u044b\u0442 \u0432 \u0438\u043d\u0442\u0435\u0440\u043d\u0435\u0442.\n\n\n\ud83d\udee1 \u0420\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0438:\n\u0421\u0440\u043e\u0447\u043d\u043e \u043e\u0431\u043d\u043e\u0432\u0438\u0442\u044c OpenCTI \u0434\u043e \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u0435\u0439 \u0432\u0435\u0440\u0441\u0438\u0438 \u0441 \u0437\u0430\u043a\u0440\u044b\u0442\u0438\u0435\u043c CVE-2025-24977\n\n\u041f\u0440\u043e\u0432\u0435\u0440\u0438\u0442\u044c \u043d\u0430\u0441\u0442\u0440\u043e\u0439\u043a\u0438 webhook, \u043e\u0433\u0440\u0430\u043d\u0438\u0447\u0438\u0442\u044c \u0434\u043e\u0441\u0442\u0443\u043f \u0442\u043e\u043b\u044c\u043a\u043e \u0434\u043e\u0432\u0435\u0440\u0435\u043d\u043d\u044b\u043c \u0438\u0441\u0442\u043e\u0447\u043d\u0438\u043a\u0430\u043c\n\n\u041f\u0440\u043e\u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u0442\u044c \u0436\u0443\u0440\u043d\u0430\u043b\u044b \u0441\u043e\u0431\u044b\u0442\u0438\u0439 \u043d\u0430 \u043f\u0440\u0435\u0434\u043c\u0435\u0442 \u043f\u043e\u0434\u043e\u0437\u0440\u0438\u0442\u0435\u043b\u044c\u043d\u044b\u0445 \u043e\u0431\u0440\u0430\u0449\u0435\u043d\u0438\u0439\n\n\u041f\u043e\u0434\u0440\u043e\u0431\u043d\u0435\u0435:\n\ud83d\udd17 \u0418\u0441\u0442\u043e\u0447\u043d\u0438\u043a\n\n#CVE2025 #OpenCTI", "creation_timestamp": "2025-05-08T09:18:06.000000Z"}, {"uuid": "85a5b8c5-4553-4bca-8205-5f7b3694b2b3", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "published-proof-of-concept", "source": "https://t.me/TheDarkWebInformer/16824", "content": "\ud83d\udea8Critical Vulnerability in OpenCTI (CVE-2025-24977) Allows Infrastructure Takeover via Webhook Abuse\n\nhttps://darkwebinformer.com/critical-vulnerability-in-opencti-cve-2025-24977-allows-infrastructure-takeover-via-webhook-abuse/", "creation_timestamp": "2025-05-05T19:46:57.000000Z"}, {"uuid": "51263543-0441-4d3a-900a-8adc57b57a42", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "published-proof-of-concept", "source": "https://t.me/CyberSecurityTechnologies/12021", "content": "#exploit\nCVE-2025-24977\nCritical Vulnerability in OpenCTI\nAllows Infrastructure Takeover via Webhook Abuse\nhttps://darkwebinformer.com/critical-vulnerability-in-opencti-cve-2025-24977-allows-infrastructure-takeover-via-webhook-abuse/", "creation_timestamp": "2025-05-08T17:51:02.000000Z"}, {"uuid": "feb710d2-9b35-4fca-b074-e0004961632a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-24977", "type": "seen", "source": "https://t.me/cvedetector/24461", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2025-24977 - OpenCTI Container Escalation Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2025-24977 \nPublished : May 5, 2025, 5:18 p.m. | 16\u00a0minutes ago \nDescription : OpenCTI is an open cyber threat intelligence (CTI) platform. Prior to version 6.4.11 any user with the capability `manage customizations` can execute commands on the underlying infrastructure where OpenCTI is hosted and can access internal server side secrets by misusing the web-hooks. Since the malicious user gets a root shell inside a container this opens up the the infrastructure environment for further attacks and exposures. Version 6.4.11 fixes the issue. \nSeverity: 9.1 | CRITICAL \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"05 May 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-05-05T20:03:38.000000Z"}]}