An authenticated remote code execution vulnerability in OpenCTI allows users with specific administrative privileges to execute arbitrary JavaScript, potentially compromising the platform.

The vulnerability exists in the safeEjs.ts file, which fails to properly sanitize EJS templates. An attacker with the "Manage customization" capability can exploit this flaw during notifier template execution to run arbitrary JavaScript within the context of the OpenCTI process.

Successful exploitation allows an attacker to gain code execution within the OpenCTI environment. Given the CVSS score of 9.1, this represents a critical risk, as it could lead to the theft of sensitive threat intelligence data, platform takeover, or lateral movement into connected security infrastructure.

Immediate Action: Upgrade all OpenCTI instances to version 6.9.5 or later immediately.

Proactive Monitoring: Review audit logs for unusual notifier template modifications or unauthorized access to the customization management interface.

Compensating Controls: Restrict "Manage customization" capabilities to the absolute minimum number of trusted administrators until patching is complete.

Public Exploit Available: No

This vulnerability presents a significant risk to the integrity of threat intelligence operations. Organizations should prioritize patching to version 6.9.5 to eliminate the risk of arbitrary code execution by malicious or compromised internal accounts.