Data Exposure Vulnerability in Octopus Deploy with Active Directory Authentication
CVE-2025-0589

6.9MEDIUM

Key Information:

Vendor: Octopus Deploy
Status: Octopus Server
Vendor: CVE Published:; 11 February 2025

🔔 Create Octopus Deploy Vulnerability Alert

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-0589?

In specific versions of Octopus Deploy utilizing Active Directory for user authentication, an unauthenticated attacker can exploit two API endpoints. This enables the retrieval of sensitive information from user profiles, including the user's email address and display name, as well as group details like Group ID and Display Name. Importantly, this vulnerability does not compromise any data stored within the Octopus Server product itself.

Affected Version(s)

Octopus Server Windows 2020.3.3 < 2024.3.13071

Octopus Server Windows 2024.4.401 < 2024.4.7065

News Articles

BleepingComputer

CVE-2025-0589

Free Tool Autoswagger Finds The API Flaws Attackers Hope You Miss

Exposed API documentation is a gift-wrapped roadmap for threat actors. The free Autoswagger tool from Intruder scans for exposed docs and flags endpoints with broken access controls—before attackers find them.

References

https://advisories.octopus.com/post/2025/sa2025-01/

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

👾
Exploit known to exist
Jul 28, 2025
📰
First article discovered by BleepingComputer
Jul 28, 2025
Vulnerability published
Feb 11, 2025
Vulnerability Reserved
Jan 20, 2025