Skip to main content

Octopus Server CVE-2025-0589

MEDIUM
Incorrect Use of Privileged APIs (CWE-648)
2025-02-11 security@octopus.com
6.9
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Mar 28, 2026 - 18:26 vuln.today
CVE Published
Feb 11, 2025 - 09:15 nvd
MEDIUM 6.9

DescriptionCVE.org

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself.

AnalysisAI

In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-648. In affected versions of Octopus Deploy where customers are using Active Directory for authentication it was possible for an unauthenticated user to make an API request against two endpoints which would retrieve some data from the associated Active Directory. The requests when crafted correctly would return specific information from user profiles (Email address/UPN and Display name) from one endpoint and group information ( Group ID and Display name) from the other. This vulnerability does not expose data within the Octopus Server product itself. Affected products include: Octopus Octopus Server.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2018-18850 HIGH POC
8.8 Oct 31

In Octopus Deploy 2018.8.0 through 2018.9.x before 2018.9.1, an authenticated user with permission to modify deployment

CVE-2019-11632 HIGH POC
8.1 May 01

In Octopus Deploy 2019.1.0 through 2019.3.1 and 2019.4.0 through 2019.4.5, an authenticated user with the VariableViewUn

CVE-2022-2572 CRITICAL
9.8 Nov 01

In affected versions of Octopus Server where access is managed by an external authentication provider, it was possible t

CVE-2022-2778 CRITICAL
9.8 Sep 30

In affected versions of Octopus Deploy it is possible to bypass rate limiting on login using null bytes. Rated critical

CVE-2018-11320 CRITICAL
9.8 May 21

In Octopus Deploy 2018.4.4 through 2018.5.1, Octopus variables that are sourced from the target do not have sensitive va

CVE-2026-0704 CRITICAL
9.1 Feb 25

Path traversal in Octopus Deploy allows removing files and file contents on the host through API manipulation. Enables d

CVE-2022-2782 CRITICAL
9.1 Oct 27

In affected versions of Octopus Server it is possible for a session token to be valid indefinitely due to improper valid

CVE-2024-9194 HIGH
8.7 Sep 30

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Linux and Microsof

CVE-2022-2780 HIGH
8.1 Oct 14

In affected versions of Octopus Server it is possible to use the Git Connectivity test function on the VCS project to in

CVE-2021-26556 HIGH
7.8 Oct 07

When Octopus Server is installed using a custom folder location, folder ACLs are not set correctly and could lead to an

CVE-2024-2975 HIGH
7.5 Apr 09

A race condition was identified through which privilege escalation was possible in certain configurations. Rated high se

CVE-2023-1904 HIGH
7.5 Dec 14

In affected versions of Octopus Server it is possible for the OpenID client secret to be logged in clear text during the

Share

CVE-2025-0589 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy