Summary: The ZITADEL project has announced a critical security advisory addressing multiple Insecure Direct Object Reference (IDOR) vulnerabilities in its Admin API, which could allow unauthorized modifications to sensitive settings. These vulnerabilities, classified as CVE-2025-27507 with a CVSS score of 9.0, primarily affect LDAP configuration endpoints, potentially leading to account takeovers. Users are urged to upgrade to the patched version immediately to mitigate these risks.
Affected: ZITADEL
Keypoints :
- Multiple IDOR vulnerabilities could be exploited by authenticated users to gain unauthorized access to sensitive settings.
- Critical vulnerabilities allow attackers to modify LDAP settings, potentially redirecting logins to a malicious server.
- Patches are available for various versions of ZITADEL 2.x, and users are encouraged to upgrade promptly.
Source: https://securityonline.info/cve-2025-27507-cvss-9-0-zitadel-users-at-risk-of-account-takeover/