cbcvebase.
CVE-2025-49825
published 2025-06-17

CVE-2025-49825: Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.75%
93.9th percentile
Teleport provides connectivity, authentication, access controls and audit for infrastructure. Community Edition versions before and including 17.5.1 are vulnerable to remote authentication bypass. At time of posting, there is no available open-source patch.

Affected

9 ranges
VendorProductVersion rangeFixed in
github.comgravitational_teleport0 – 0.0.0-20250616162021-79b2f26125a1
github.comgravitational_teleport>= 0.0.11 < 12.4.3512.4.35
github.comgravitational_teleport>= 0.0.11
github.comgravitational_teleport>= 13.0.0 < 13.4.2713.4.27
github.comgravitational_teleport>= 14.0.0 < 14.4.114.4.1
github.comgravitational_teleport>= 15.0.0 < 15.5.315.5.3
github.comgravitational_teleport>= 16.0.0 < 16.5.1216.5.12
github.comgravitational_teleport>= 17.0.0 < 17.5.217.5.2
gravitationalteleport<= 17.5.1

Detection & IOCsextracted from sources · hover to see the quote

url/webapi/ping
cookie__Host-grv_csrf
otherfavicon hash: 544208100
otherfavicon hash: 1854879765
otherfavicon hash: -1275955539
  • Probe GET /webapi/ping and extract the server_version JSON field; match if the response body contains both 'server_version' and 'teleport' and the version falls within a vulnerable range.
  • Vulnerable version ranges: any 17.x before 17.5.2, 16.x before 16.5.12, 15.x before 15.5.3, 14.x before 14.4.1, 13.x before 13.4.27, and any 12.x before 12.4.35.
  • Identify Teleport instances via Shodan/FOFA using favicon hashes 544208100, 1854879765, or -1275955539, or by the presence of the Set-Cookie header containing __Host-grv_csrf.
  • ·Community Edition versions before and including 17.5.1 are confirmed vulnerable; no open-source patch was available at time of NVD posting — verify patch availability before relying on version checks alone.
  • ·The Nuclei template version-check DSL uses broad major-version equality matchers (e.g., '= 17.0.0') which may not accurately capture all patch levels; supplement with the '< 12.4.35' style comparisons for older branches.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.