Data Exposure Vulnerability in Octopus Deploy with Active Directory Authentication
CVE-2025-0589

6.9MEDIUM

Key Information:

Vendor
CVE Published:
11 February 2025

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2025-0589?

In specific versions of Octopus Deploy utilizing Active Directory for user authentication, an unauthenticated attacker can exploit two API endpoints. This enables the retrieval of sensitive information from user profiles, including the user's email address and display name, as well as group details like Group ID and Display Name. Importantly, this vulnerability does not compromise any data stored within the Octopus Server product itself.

Affected Version(s)

Octopus Server Windows 2020.3.3 < 2024.3.13071

Octopus Server Windows 2024.4.401 < 2024.4.7065

News Articles

Free Tool Autoswagger Finds The API Flaws Attackers Hope You Miss

Exposed API documentation is a gift-wrapped roadmap for threat actors. The free Autoswagger tool from Intruder scans for exposed docs and flags endpoints with broken access controls—before attackers find them.

5 days ago

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

.