{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-32801", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "state": "PUBLISHED", "assignerShortName": "isc", "dateReserved": "2025-04-10T12:51:45.055Z", "datePublished": "2025-05-28T17:03:34.499Z", "dateUpdated": "2025-05-28T17:33:50.355Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2025-05-28T17:03:34.499Z"}, "title": "Loading a malicious hook library can lead to local privilege escalation", "datePublic": "2025-05-28T00:00:00.000Z", "affected": [{"vendor": "ISC", "product": "Kea", "versions": [{"version": "2.4.0", "lessThanOrEqual": "2.4.1", "status": "affected", "versionType": "custom"}, {"version": "2.6.0", "lessThanOrEqual": "2.6.2", "status": "affected", "versionType": "custom"}, {"version": "2.7.0", "lessThanOrEqual": "2.7.8", "status": "affected", "versionType": "custom"}], "defaultStatus": "unaffected"}], "metrics": [{"cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "descriptions": [{"lang": "en", "value": "Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.\nThis issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8."}], "impacts": [{"descriptions": [{"lang": "en", "value": "If an attacker has access to a local unprivileged user account, and the Kea API entry points are not secured, the attacker can instruct Kea to load a hook library from an arbitrary local file (including a file introduced by the attacker). The malicious hook would execute with the privileges available to Kea."}]}], "workarounds": [{"lang": "en", "value": "Two mitigation approaches are possible: (1) Disable the Kea API entirely, by (1a) disabling the `kea-ctrl-agent`, and (1b) removing any `\"control-socket\"` stanzas from the Kea configuration files; or (2) Secure access to the API by (2a) requiring authentication (a password or client certificate) for the `kea-ctrl-agent`, and (2b) configuring all `\"control-socket\"` stanzas to use a directory restricted to only trusted users."}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of Kea: 2.4.2, 2.6.3, or 2.7.9."}], "credits": [{"lang": "en", "value": "ISC would like to thank Matthias Gerstner from the SUSE security team and Laura Pardo from Red Hat's Product Security Team for bringing this vulnerability to our attention."}], "references": [{"url": "https://kb.isc.org/docs/cve-2025-32801", "name": "CVE-2025-32801", "tags": ["vendor-advisory"]}], "source": {"discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-05-28T17:33:36.266136Z", "id": "CVE-2025-32801", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T17:33:50.355Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-32801", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-05-28T17:33:36.266136Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-05-28T17:33:41.278Z"}}], "cna": {"title": "Loading a malicious hook library can lead to local privilege escalation", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "value": "ISC would like to thank Matthias Gerstner from the SUSE security team and Laura Pardo from Red Hat's Product Security Team for bringing this vulnerability to our attention."}], "impacts": [{"descriptions": [{"lang": "en", "value": "If an attacker has access to a local unprivileged user account, and the Kea API entry points are not secured, the attacker can instruct Kea to load a hook library from an arbitrary local file (including a file introduced by the attacker). The malicious hook would execute with the privileges available to Kea."}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "ISC", "product": "Kea", "versions": [{"status": "affected", "version": "2.4.0", "versionType": "custom", "lessThanOrEqual": "2.4.1"}, {"status": "affected", "version": "2.6.0", "versionType": "custom", "lessThanOrEqual": "2.6.2"}, {"status": "affected", "version": "2.7.0", "versionType": "custom", "lessThanOrEqual": "2.7.8"}], "defaultStatus": "unaffected"}], "exploits": [{"lang": "en", "value": "We are not aware of any active exploits."}], "solutions": [{"lang": "en", "value": "Upgrade to the patched release most closely related to your current version of Kea: 2.4.2, 2.6.3, or 2.7.9."}], "datePublic": "2025-05-28T00:00:00.000Z", "references": [{"url": "https://kb.isc.org/docs/cve-2025-32801", "name": "CVE-2025-32801", "tags": ["vendor-advisory"]}], "workarounds": [{"lang": "en", "value": "Two mitigation approaches are possible: (1) Disable the Kea API entirely, by (1a) disabling the `kea-ctrl-agent`, and (1b) removing any `\"control-socket\"` stanzas from the Kea configuration files; or (2) Secure access to the API by (2a) requiring authentication (a password or client certificate) for the `kea-ctrl-agent`, and (2b) configuring all `\"control-socket\"` stanzas to use a directory restricted to only trusted users."}], "descriptions": [{"lang": "en", "value": "Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.\nThis issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-94", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "404fd4d2-a609-4245-b543-2c944a302a22", "shortName": "isc", "dateUpdated": "2025-05-28T17:03:34.499Z"}}}, "cveMetadata": {"cveId": "CVE-2025-32801", "state": "PUBLISHED", "dateUpdated": "2025-05-28T17:33:50.355Z", "dateReserved": "2025-04-10T12:51:45.055Z", "assignerOrgId": "404fd4d2-a609-4245-b543-2c944a302a22", "datePublished": "2025-05-28T17:03:34.499Z", "assignerShortName": "isc"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.\nThis issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8."}], "id": "CVE-2025-32801", "lastModified": "2025-05-29T14:29:50.247", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "security-officer@isc.org", "type": "Primary"}]}, "published": "2025-05-28T17:15:23.710", "references": [{"source": "security-officer@isc.org", "url": "https://kb.isc.org/docs/cve-2025-32801"}], "sourceIdentifier": "security-officer@isc.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-94"}], "source": "security-officer@isc.org", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2025:9178", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "kea-0:2.6.3-1.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-06-17T00:00:00Z"}], "bugzilla": {"description": "kea: Loading a malicious hook library can lead to local privilege escalation", "id": "2366362", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2366362"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-267", "details": ["Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.\nThis issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.", "A flaw was found in the Kea package, where an unprivileged user can instruct Kea to load a hook library from any arbitrary local file. This hook can then be executed using the same privileges that Kea runs under. This vulnerability allows an attacker with access to a local, unprivileged account to introduce a malicious local hook library, which Kea will execute, achieving arbitrary code execution and privilege escalation."], "mitigation": {"lang": "en:us", "value": "This vulnerability can be mitigated via one of the two following alternatives:\n1) Disable the Kea API entirely by disabling the kea-ctrl-agent and removing any control-socket stanzas from the Kea configuration files.\n2) Configure the API to require authentication for the kea-ctrl-agent and configuring all \"control-socket\" stanzes to use a directory restricted to trusted users."}, "name": "CVE-2025-32801", "public_date": "2025-05-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-32801\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-32801"], "statement": "This vulnerability is rated as an Important severity because the vulnerability was found in the configuration and API directives related to hook library loading, it is a local privilege escalation flaw triggered when an attacker with local unprivileged access instructs Kea to load a malicious hook library, which is possible if the API entry points are unsecured or control sockets are in insecure paths. This leads to arbitrary code execution enabling an attacker to gain unauthorized access to sensitive data, alter critical system configurations, and disrupt service availability.", "threat_severity": "Important"}

{}