Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
Warning: High improper authorization vulnerability in OpenCTI that can lead to workspace deletion, Patch Immediately!
Image
Published : 07/01/2026
- Last update: 07/01/2025
- Affected software:
→ OpenCTI versions prior to 6.8.1- Type:
→ CWE-285 Improper Authorization
→ CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key
→ CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes- CVE/CVSS
→ CVE-2025-61781: CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H)
Sources
https://nvd.nist.gov/vuln/detail/CVE-2025-61781
https://github.com/OpenCTI-Platform/opencti/security/advisories/GHSA-pr6m-q4g7-342c
Risks
OpenCTI is a widely used open-source platform for managing cyber threat intelligence knowledge for companies and individuals.
A vulnerability (CVE-2025-61781) has been found in OpenCTI that affects the versions prior to 6.8.1. A network-based threat actor with low privileges and without authorization can delete the entire workplace without any user interaction.
As of the time of writing this advisory (2025-01-06), there is no evidence that a public proof-of-concept or a proof of exploitation exist.
The exploitation of CVE-2025-61781 can have a high impact on the Availability of the affected system, low impact on its Integrity, and no impact on its Confidentiality.
Description
A remote threat actor can bypass authorization using a user-controlled SQL primary key to delete workspace-related objects (dashboards, investigation cases). This is allowed by the GraphQL mutation “WorkspacePopoverDeletetionMutation”, which lacks the necessary ownership checks for each resource.
If the threat actor acquires an active UUID of any user, they can supply it to the system and exploit CVE-2025-61781. The next step could be the successful execution of the mutation (because of an absence of ownership checks) that can lead to the deletion of the entire workspace without any authorization.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing. It is recommended to update to version 6.8.1 or later.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
References
https://radar.offseq.com/threat/cve-2025-61781-cwe-285-improper-authorization-in-o-07523d2a
https://www.thehackerwire.com/vulnerability/CVE-2025-61781/