CVE-2025-25068: 
vulnerability analysis and mitigation

Mattermost versions 10.4.x <= 10.4.2, 10.3.x <= 10.3.3, 9.11.x <= 9.11.8, and 10.5.x <= 10.5.0 contain a vulnerability that fails to enforce Multi-Factor Authentication (MFA) on plugin endpoints. This security issue was disclosed on March 21, 2025, and allows authenticated attackers to bypass MFA protections via API requests to plugin-specific routes (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) by Mattermost, Inc., with a vector string of CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. The NVD has assigned a slightly higher CVSS score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function) (NVD).

The vulnerability allows authenticated attackers to bypass MFA protections, potentially gaining unauthorized access to protected functionality and sensitive data through plugin-specific routes. This could lead to a significant compromise of system security as it affects multiple versions of the Mattermost platform (NVD).

Users should upgrade to the following fixed versions: 10.4.3 for 10.4.x users, 10.3.4 for 10.3.x users, 9.11.9 for 9.11.x users, and 10.5.1 for 10.5.x users (NVD, Mattermost).