Full Report
An urgent patch has been released for two bugs affecting the Matrix messaging protocol used by some governments for secure communications.
Analysis Summary
# Vulnerability: Matrix Protocol High-Severity Flaws Leading to Control Seizure
## CVE Details
- CVE ID: CVE-2025-49090 (for the first issue)
- CVSS Score: Not yet assigned
- CWE: Not specified (Issue 1 relates to authorization/privilege escalation; Issue 2 relates to predictability/weak randomness)
## Affected Systems
- Products: Matrix Protocol implementations (used by entities like the French government's Tchap, German armed forces, and other public sector entities).
- Versions: All prior versions before the security release patch.
- Configurations: Any implementation running the Matrix protocol, particularly in sensitive environments.
## Vulnerability Description
Two high-severity vulnerabilities were patched.
**CVE-2025-49090 (Room Control Mismanagement):** This flaw allowed a malicious administrator within a room (e.g., within a government IT system) to remove permissions set by the original room creator. This could be leveraged to disrupt official communications, seize control of the discussion space within a classified channel, or redirect members to a hostile, attacker-controlled room running a rogue implementation of the protocol. The fix elevates privileges permanently assigned to the room creator.
**Unnamed Bug (Predictable Room ID Generation):** In certain circumstances, an attacker could predict the unique pseudo-random ID generated for a new Matrix room. This allowed the attacker to pre-create the room or join a sensitive channel before legitimate members, setting the room up under the attacker's control, potentially facilitating data exfiltration or disruption during crises.
## Exploitation
- Status: Matrix Foundation did not disclose awareness of exploitation in the wild.
- Complexity: Implied Medium to High, as malicious actors needed specific administrative roles for the first bug, and the second required predictability under certain circumstances.
- Attack Vector: Varies depending on the context, but generally targeted at the server/room management level.
## Impact
- Confidentiality: High (Potential exfiltration of sensitive information by controlling room membership/redirection).
- Integrity: High (Potential disruption of official communications or modification of channel parameters).
- Availability: Medium to High (Ability to disrupt incident response communications or force users into malicious environments).
## Remediation
### Patches
- Specific patch versions were released via an off-cycle security release coordinated under embargo. Implementers must apply the security update provided by the Matrix Foundation for their specific client/server implementation.
### Workarounds
- The Foundation provided guidance to clients regarding necessary steps for **room upgrades** following the patch deployment, emphasizing the need for thorough testing before rollout, as upgrades were expected to be disruptive.
## Detection
- The primary detection method involves ensuring all deployed Matrix software components (servers and clients) are updated to the versions incorporating the security fixes.
- Specific Indicators of Compromise (IoCs) were not publicly detailed alongside the fix, but suspicious administrative actions (like unexpected permission changes or sudden redirection of users) in sensitive rooms should be investigated.
## References
- Vendor Advisory (Security Release): hxxps://matrix.org/blog/2025/08/security-release/
- Pre-disclosure Advisory: hxxps://matrix.org/blog/2025/07/security-predisclosure/
- Upgrade Guidance: hxxps://matrix.org/docs/communities/administration/#room-upgrades