Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL VULNERABILITY IN SENTRY SAML SSO ALLOWS ACCOUNT TAKEOVER IF THE VICTIM'S EMAIL ADDRESS IS KNOWN, PATCH IMMEDIATELY!
Image
Published : 17/01/2025
Reference:
Advisory #2025-013
Version:
1.0
Affected software:
Sentry SAML SSO >=21.12.0, =24.12.1
Type:
Authentication Bypass, Account Takeover
CVE/CVSS:
CVE-2025-22146: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Sources
Risks
The vulnerability poses several significant risks:
- Unauthorized account access - An attacker could fully control any user account, potentially including administrator accounts, depending on the email address they target.
- Data exposure - Once an attacker takes over an account, they gain access to all data and resources available to that user. This may include sensitive error logs, performance metrics, and user data managed through Sentry.
- Escalation of privileges - If an attacker compromises an account with administrative privileges, they could make system-wide changes, access other user data, and establish further persistence.
Exploitation of this vulnerability can have a high impact on confidentiality and integrity.
Description
A threat actor can exploit the vulnerability through the following steps:
- Reconnaissance - Attacker identifies a multi-organization Sentry instance and collects the victim’s email address (via breaches, phishing, or social media).
- Malicious IdP Setup - Attacker creates a fake SAML Identity Provider (IdP) to issue forged SAML assertions for the victim’s email address.
- Submission of Forged Assertion: Attacker submits the malicious SAML assertion to Sentry’s login endpoint, which fails to validate the IdP properly.
- Account Takeover: Attacker gains full access to the victim’s account, including any sensitive data and permissions.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/nl/cert/een-incident-melden.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.