{"vulnerability": "CVE-2025-66391", "sightings": [{"uuid": "0f5819ac-5fe7-4808-9721-b5823f1b2557", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-66391", "type": "seen", "source": "https://gist.github.com/mandeepsohal/be8266041311404f8c6fc4f5f2c38230", "content": "Severity: Medium \n\nDate of Finding: 2025-11-10\n\nExploit Author: Mandeep Singh and Faan De Klerk\n\n\nVendor Homepage: https://www.citrix.com/\n\nSoftware Link: https://www.citrix.com/products/citrix-cloud/\n\nVersion: Citrix Cloud through 2025-11-10\n\nTested on: Windows 11 / Microsoft Edge / Microsoft SSO Environment\n\nCVE: CVE-2025-66391\n\nGoogle Dork: N/A\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nDescription\nIn Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account.\n\nProof of Concept (PoC)\n\nStep 1:\nServer response aligned with the permissions granted to the account.\n\n\n \nStep 2:\nRefresh the profile page and intercept the server response.\n \n\n\nStep 3:\nManipulate the server\u2019s response fields, replacing them with the following values:\n\n\n{\n\"name\":\"Mandeep Singh2\",\n\"email\":\u201duser email\u201d,\n\"showMfaSettings\":true,\n\"mfaStatus\":\"Disabled\",\n\"recoveryPhone\":null,\n\"backupCodesCount\":0,\n\"recoveryEmail\":\u201dnew email\u201d,\n\"verificationEmailTemplate\":\"52107647-ed1f-4c2-6ff011578709\",\n\"primaryCodeEmailTemplate\":\"a6ba6ec3-bf4a-4722-a620-c768f4f9597f\",\n\"recoveryCodeEmailTemplate\":\"8d709d01-6421-45b1-a51f-c95e43354c96\",\n\"verificationEmailTtl\":86400,\n\"canChangePassword\":true,\n\"canChangePrimaryEmail\":true,\n\"changeEmailTemplate\":\"e6b19552-a61c-4454-a8e3-f0c886b44255\"\n}\n\n\nStep 4:\nReview the server response in the browser.\n\n \n\nStep 5:\nThe application allows triggering privileged features without proper checks. When the change email function was accessed, it bypassed authorization validation, redirected to the email change page, and sent an OTP to the newly provided email address.\n\nNote: When a Gmail address was supplied, the system successfully delivered the OTP to that address as well.\n\n \n \n\nIn the same way, the password change function can also be initiated.\n\n\n\n\nImpact\n\u2022\tExposure of Sensitive Features: Unauthorized users can access and interact with identity management flows not intended for them.\n\u2022\tAccount Takeover Risk: Even though final takeover was not achieved, the ability to send OTPs to attacker-controlled addresses demonstrates a partial compromise of account security controls.\nNote: During the testing, Initial authentication was performed using an SSO account. This issue may have a greater impact when individual (username and password - non-SSO) accounts are in use, potentially leading to full account compromise/ achieve highest privileges.\n\u2022\tClient-Side Authorization: Reliance on client-side checks allows attackers to interact with privileged functionality despite lacking permissions.\n\u2022\tMisconfiguration with SSO: Reliance on UI checks instead of backend validation breaks trust boundaries with Microsoft SSO integration.\n\nAn attacker with read-only access could potentially escalate privileges, disrupt accounts, or exploit weak state handling to achieve full takeover.\nRecommendation\n1.\tEnforce Authorization at Backend\no\tAll identity-related endpoints (password reset, MFA management, email change) must verify user role/permissions on the server side, regardless of client state.\n2.\tDeny Unauthorized Requests Early\no\tRequests from unauthorized users should be rejected before any side-effect (e.g., before sending OTP emails).\n3.\tStrengthen State/Session Handling\no\tEnsure OTP validation and other flows only occur for users with explicit authorization.\no\tHandle failed or unauthorized OTP attempts with clear error responses, not session termination or logout.\n\n", "creation_timestamp": "2026-05-29T06:28:20.000000Z"}]}