Rapid7’s 2026 Global Cybersecurity Summit is now available on-demand.Watch sessions.
Rapid7

vulnerability

FreeBSD: VID-41711c0d-db27-11ef-873e-8447094a420f (CVE-2025-24364): Vaultwarden -- Multiple vulnerabilities

Severity
8
CVSS
(AV:N/AC:L/Au:M/C:C/I:C/A:C)
Published
Jan 25, 2025
Added
Feb 1, 2025
Modified
Jun 15, 2026

Description

vaultwarden is an unofficial Bitwarden compatible server written in Rust, formerly known as bitwarden_rs. Attacker with authenticated access to the vaultwarden admin panel can execute arbitrary code in the system. The attacker could then change some settings to use sendmail as mail agent but adjust the settings in such a way that it would use a shell command. It then also needed to craft a special favicon image which would have the commands embedded to run during for example sending a test email. This vulnerability is fixed in 1.33.0.

Solution

freebsd-upgrade-package-vaultwarden
Title
Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.