Cybersecurity Vulnerabilities

CVE-2025-64717: Critical Account Takeover Vulnerability in ZITADEL via Federated Authentication Bypass

November 14, 2025 - By 

Overview

CVE-2025-64717 describes a critical vulnerability in ZITADEL, an open-source identity management platform. This flaw allows for potential account takeovers by exploiting a bypass in the federated authentication process. Specifically, the vulnerability enables the auto-linking of users from external identity providers (IdPs) to existing ZITADEL user accounts, even when the IdP should be disabled or federation is disallowed for the organization.

Technical Details

The vulnerability stems from ZITADEL’s failure to properly enforce organization-specific security settings during the authentication flow. Even if an Organization Administrator explicitly disables an IdP or disallows federated authentication, the system fails to honor this setting during the auto-linking process. An unauthenticated attacker can initiate a login using an IdP that should be disabled for that organization. The platform incorrectly validates the login and, based on a matching criteria, links the attacker’s external identity to an existing internal user account. Only IdPs create on an instance level would allow this to work. IdPs registered on another organization would always be denied in the (auto-)linking process.

This vulnerability is present in ZITADEL versions starting from 2.50.0 and prior to versions 2.71.19, 3.4.4, and 4.6.6.

CVSS Analysis

Due to the potential for full account takeover, this vulnerability carries a significant risk. However, a CVSS score is not currently available. Further analysis is required to calculate a more precise score.
Given the impact, it is highly recommended to apply the necessary patches as soon as possible.

Possible Impact

The exploitation of CVE-2025-64717 can lead to a full account takeover, allowing an attacker to gain unauthorized access to sensitive data and resources associated with the compromised account. This bypasses the organization’s mandated security controls. Note that accounts with MFA enabled can not be taken over by this attack.

Mitigation or Patch Steps

The recommended mitigation is to upgrade ZITADEL to one of the patched versions:

  • Upgrade to version 2.71.19 or later
  • Upgrade to version 3.4.4 or later
  • Upgrade to version 4.6.6 or later

These versions correctly validate the organization’s login policy before auto-linking an external user. No known workarounds are available aside from upgrading.

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *