CVE-2025-0539

Summary

In affected Microsoft Windows versions of Octopus Deploy, the server can be coerced into sending server-side requests that contain authentication material allowing a suitably positioned attacker to compromise the account running Octopus Server and potentially the host infrastructure itself.

Affected Software

VendorProductVersion RangeStatus
Octopus DeployOctopus Server2.6.0 < 2024.3.13071affected
Octopus DeployOctopus Server2024.4.401 < 2024.4.7065affected

Weaknesses

  • Server Side Request Forgery

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References