A critical Insecure Direct Object Reference (IDOR) vulnerability chain in ZITADEL’s administration interface (CVE-2025-27507) has exposed organizations to systemic risks of account takeover and configuration tampering.
Rated 9.0/10 on the CVSS v3.1 scale, these flaws enable authenticated low-privilege users to manipulate LDAP authentication settings and other sensitive parameters through ZITADEL’s Admin API endpoints.
The vulnerabilities stem from insufficient authorization checks across 12 HTTP endpoints in ZITADEL’s Admin API.
Attackers with standard user privileges can exploit endpoints like /idps/ldap and /idps/ldap/{id} to redirect LDAP authentication flows to malicious servers or extract LDAP service credentials.
ZITADEL IDOR Vulnerabilities
This allows full compromise of LDAP-linked accounts and backend directory infrastructure.
Non-LDAP instances remain vulnerable through endpoints governing language settings (/text/message/passwordless_registration/{language}), security policies (/policies/label/_activate), and branding templates (/policies/label/logo).
Attackers could weaponize these to deploy phishing interfaces or disable multi-factor authentication (MFA) controls.
LDAP Hijacking: By modifying ldap.host and ldap.baseDN parameters, attackers reroute authentication requests to rogue servers, intercepting credentials in transit.
Credential Extraction: The /idps/ldap/{id} endpoint leaks hashed LDAP service account passwords in API responses, enabling offline cracking.
Phishing Vector: Unauthorized changes to /text/login/{language} endpoints allow the injection of malicious content into login pages, facilitating social engineering.
ZITADEL’s security team confirmed that exploitation leaves minimal forensic traces, as configuration changes appear legitimate in audit logs.
Mitigation and Patches
ZITADEL has released patched versions enforcing role-based access controls (RBAC) across all vulnerable endpoints.
Affected versions and corresponding fixes include:
- v2.71.0+ for mainline deployments
- Backported patches for versions ≥2.63.8 through 2.70.1
Organizations must immediately:
- Upgrade to patched releases
- Audit all LDAP/config changes since January 2025
- Rotate LDAP service account credentials
- Monitor /policies/label and /text endpoints for unauthorized modifications
Organizations using unpatched ZITADEL instances face imminent compromise risks, given the 9.1 CVSS score and low attack complexity.
This incident underscores the critical need for continuous authorization testing in identity management systems, particularly those handling authentication flows for downstream applications.
Collect Threat Intelligence on the Latest Malware and Phishing Attacks with ANY.RUN TI Lookup -> Try for free