Data Exposure Vulnerability in Octopus Deploy with Active Directory Authentication
CVE-2025-0589
Key Information:
- Vendor
Octopus Deploy
- Status
- Vendor
- CVE Published:
- 11 February 2025
Badges
What is CVE-2025-0589?
In specific versions of Octopus Deploy utilizing Active Directory for user authentication, an unauthenticated attacker can exploit two API endpoints. This enables the retrieval of sensitive information from user profiles, including the user's email address and display name, as well as group details like Group ID and Display Name. Importantly, this vulnerability does not compromise any data stored within the Octopus Server product itself.
Affected Version(s)
Octopus Server Windows 2020.3.3 < 2024.3.13071
Octopus Server Windows 2024.4.401 < 2024.4.7065
News Articles
Free Tool Autoswagger Finds The API Flaws Attackers Hope You Miss
Exposed API documentation is a gift-wrapped roadmap for threat actors. The free Autoswagger tool from Intruder scans for exposed docs and flags endpoints with broken access controls—before attackers find them.
5 days ago
References
CVSS V4
Timeline
- 👾
Exploit known to exist
- 📰
First article discovered by BleepingComputer
Vulnerability published
Vulnerability Reserved