CVE-2025-27507: 
vulnerability analysis and mitigation

CVE-2025-27507 affects ZITADEL, an open-source identity infrastructure software, discovered in March 2025. The vulnerability involves multiple Insecure Direct Object Reference (IDOR) vulnerabilities in ZITADEL's Admin API that allow authenticated users without specific IAM roles to modify sensitive settings. The vulnerability has been assigned a CVSS score of 9.0 (Critical) and affects multiple versions of ZITADEL 2.x. The issue has been patched in versions 2.71.0, 2.70.1, 2.69.4, 2.68.4, 2.67.8, 2.66.11, 2.65.6, 2.64.5, and 2.63.8 (GitHub Advisory, NVD).

The vulnerability stems from 12 HTTP endpoints in ZITADEL's Admin API that are accessible to authenticated users without proper ZITADEL manager privileges. The most critical vulnerable endpoints relate to LDAP configuration at '/idps/ldap' and '/idps/ldap/{id}'. The vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key) and has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L, indicating network accessibility, low attack complexity, and high potential impact (GitHub Advisory).

The vulnerability's impact varies depending on LDAP usage. For instances using LDAP authentication, successful exploitation could lead to complete takeover of user accounts and exposure of LDAP server passwords. Attackers could modify ZITADEL's instance LDAP settings to redirect login attempts to malicious servers. For non-LDAP users, while less severe, the vulnerability still allows unauthorized modification of instance settings such as languages, labels, and templates, affecting all organizations (Security Online, GitHub Advisory).

Organizations are strongly advised to upgrade to the patched versions: 2.71.0 or later for 2.x versions, 2.70.1 or later for 2.70.x, 2.69.4 or later for 2.69.x, 2.68.4 or later for 2.68.x, 2.67.8 or later for 2.67.x, 2.66.11 or later for 2.66.x, 2.65.6 or later for 2.65.x, 2.64.5 or later for 2.64.x, and 2.63.8 or later for 2.63.x versions (GitHub Advisory).

The vulnerability was discovered by Amit Laish, a senior security researcher from GE Vernova, and was responsibly reported to ZITADEL. The ZITADEL project has acknowledged the vulnerability and expressed gratitude to Laish for the responsible disclosure (Security Online).