Security Flaws Discovered in Apache Cassandra: Unauthorized Access, Privilege Escalation, and JMX Credential Theft
do son 
The popular open-source NoSQL database, Apache Cassandra, is facing a barrage of critical vulnerabilities, potentially exposing sensitive data to unauthorized access and manipulation. Three distinct security flaws have been identified, impacting a wide range of Cassandra versions and raising serious concerns for organizations relying on the platform for mission-critical data.
The most alarming of these vulnerabilities, tracked as CVE-2025-24860, allows attackers to bypass network authorization controls. This flaw in the CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can grant unauthorized access to different network regions, effectively breaching data center boundaries. Compounding the issue, users with restricted data center access can even escalate their own permissions through Data Control Language (DCL) statements in affected versions. This flaw impacts Cassandra versions 4.0.0 through 4.0.15, 4.1.0 through 4.1.7, and 5.0.0 through 5.0.2.
Another flaw, CVE-2025-23015 reveals a privilege escalation vulnerability. A user with seemingly innocuous “MODIFY” permission on all keyspaces can leverage unsafe actions to gain superuser privileges within a Cassandra cluster. This means a malicious actor with limited access can potentially seize complete control of the database. This vulnerability affects an even broader range of Cassandra versions, from 3.0.0 all the way up to 5.0.2. Administrators are strongly advised to immediately review data access rules and identify any potential breaches.
Finally, CVE-2024-27137 re-introduces a known vulnerability related to unrestricted deserialization of JMX authentication credentials. This vulnerability allows a local attacker to perform a man-in-the-middle attack, capturing usernames and passwords used to access the JMX interface. With these stolen credentials, attackers can then perform unauthorized operations. This flaw affects Cassandra versions 4.0.2 through 5.0.2 running on Java 11.
Organizations relying on Cassandra are urged to take immediate action to mitigate these risks. Upgrading to the latest patched versions is paramount. The recommended fixes are versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, and 5.0.3. Beyond patching, security best practices such as rigorous access control management and regular security audits should be implemented to minimize the potential for exploitation. The integrity and availability of critical data depend on it.
