Attackers with standard user privileges can exploit endpoints like /idps/ldap and /idps/ldap/{id} to redirect LDAP authentication flows to malicious servers or extract LDAP service credentials. Rated 9.0/10 on the CVSS v3.1 scale, these flaws enable authenticated low-privilege users to manipulate LDAP authentication settings and other sensitive parameters through ZITADEL’s Admin API endpoints. LDAP Hijacking: By modifying ldap.host and ldap.baseDN parameters, attackers reroute authentication requests to rogue servers, intercepting credentials in transit. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Credential Extraction: The /idps/ldap/{id} endpoint leaks hashed LDAP service account passwords in API responses, enabling offline cracking. Phishing Vector: Unauthorized changes to /text/login/{language} endpoints allow the injection of malicious content into login pages, facilitating social engineering. ZITADEL’s security team confirmed that exploitation leaves minimal forensic traces, as configuration changes appear legitimate in audit logs. This incident underscores the critical need for continuous authorization testing in identity management systems, particularly those handling authentication flows for downstream applications. Kaaviya is a Security Editor and fellow reporter with Cyber Security News.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 06 Mar 2025 12:20:20 +0000