BI.ZONE discovers two high‑impact vulnerabilities in Vaultwarden

Vaultwarden is a free open-source password manager with a Bitwarden-compatible API. In Russia, the solution’s popularity is on the rise: 10% of local companies use Vaultwarden this year, according to BI.ZONE TDR.

Like any other secrets manager, Vaultwarden is a critical service that requires heightened security oversight. If compromised, the solution can open the door to multiple risks, including the disclosure of sensitive corporate data.

This instigated our research which revealed two high-impact vulnerabilities consequently recognized as CVE‑2025‑24364 and CVE‑2025‑24365. Affecting all Vaultwarden releases through 1.32.7, the vulnerabilities were patched in version 1.33.0.

CVE-2025-24365 stems from access control issues. For instance, an adversary with limited rights in organization A can create organization B, becoming its administrator by default. The adversary can then send requests to endpoints and specify organization A’s identifier in the path parameter and organization B’s identifier in the GET query. As a result, the adversary can get admin rights in organization A.

CVE-2025-24364 is a remote code execution (RCE) vulnerability. An attacker with admin privileges can run arbitrary commands on the server to get hold of the secrets of all organizations within a Vaultwarden vault. This enables the attacker to hijack control over target systems or their components and steal sensitive data.

One way to defend your organization against attacks exploiting the two CVEs is to use BI.ZONE WAF. Rules configured in this service can help detect and prevent attempted attacks without disrupting Vaultwarden’s logic. Such attacks can also be detected with BI.ZONE EDR.