Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-32802

Summary
Assigner-isc
Assigner Org ID-404fd4d2-a609-4245-b543-2c944a302a22
Published At-28 May, 2025 | 17:08
Updated At-28 May, 2025 | 17:23
Rejected At-
Credits

Insecure handling of file paths allows multiple local attacks

Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:isc
Assigner Org ID:404fd4d2-a609-4245-b543-2c944a302a22
Published At:28 May, 2025 | 17:08
Updated At:28 May, 2025 | 17:23
Rejected At:
▼CVE Numbering Authority (CNA)
Insecure handling of file paths allows multiple local attacks

Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.

Affected Products
Vendor
Internet Systems Consortium, Inc.ISC
Product
Kea
Default Status
unaffected
Versions
Affected
  • From 2.4.0 through 2.4.1 (custom)
  • From 2.6.0 through 2.6.2 (custom)
  • From 2.7.0 through 2.7.8 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-73CWE-73 External Control of File Name or Path
CWECWE-379CWE-379 Creation of Temporary File in Directory with Insecure Permissions
Type: CWE
CWE ID: CWE-73
Description: CWE-73 External Control of File Name or Path
Type: CWE
CWE ID: CWE-379
Description: CWE-379 Creation of Temporary File in Directory with Insecure Permissions
Metrics
VersionBase scoreBase severityVector
3.16.1MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
N/AIf an attacker has access to a local unprivileged user account, and the Kea API entry points are not secured, the attacker can use the API to arbitrarily modify Kea's configuration or to overwrite any file Kea has write access to. If Kea is running as root, the attacker could overwrite any local file. This can lead to local privilege escalation and/or system-wide denial of service. If control sockets are placed in an insecure location, any local user may be able to impersonate a Kea service or prevent the real Kea service from starting.
CAPEC ID: N/A
Description: If an attacker has access to a local unprivileged user account, and the Kea API entry points are not secured, the attacker can use the API to arbitrarily modify Kea's configuration or to overwrite any file Kea has write access to. If Kea is running as root, the attacker could overwrite any local file. This can lead to local privilege escalation and/or system-wide denial of service. If control sockets are placed in an insecure location, any local user may be able to impersonate a Kea service or prevent the real Kea service from starting.
Solutions

Upgrade to the patched release most closely related to your current version of Kea: 2.4.2, 2.6.3, or 2.7.9.

Configurations
Workarounds

Two mitigation approaches are possible: (1) Disable the API entirely, by (1a) disabling the `kea-ctrl-agent`, and (1b) removing any `"control-socket"` stanzas from the Kea configuration files; or (2) Secure access to the API by (2a) requiring authentication (a password or client certificate) for the `kea-ctrl-agent`, and (2b) configuring all `"control-socket"` stanzas to use a directory restricted to only trusted users.

Exploits

We are not aware of any active exploits.

Credits
ISC would like to thank Matthias Gerstner from the SUSE security team for bringing this vulnerability to our attention.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://kb.isc.org/docs/cve-2025-32802
vendor-advisory
Hyperlink: https://kb.isc.org/docs/cve-2025-32802
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-officer@isc.org
Published At:28 May, 2025 | 17:15
Updated At:29 May, 2025 | 14:29

Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.16.1MEDIUM
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Type: Primary
Version: 3.1
Base score: 6.1
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-73Secondarysecurity-officer@isc.org
CWE-379Secondarysecurity-officer@isc.org
CWE ID: CWE-73
Type: Secondary
Source: security-officer@isc.org
CWE ID: CWE-379
Type: Secondary
Source: security-officer@isc.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://kb.isc.org/docs/cve-2025-32802security-officer@isc.org
N/A
Hyperlink: https://kb.isc.org/docs/cve-2025-32802
Source: security-officer@isc.org
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

1Records found
CVE-2025-1056
Matching Score-4
Assigner-Axis Communications AB
ShareView Details
Matching Score-4
Assigner-Axis Communications AB
CVSS Score-6.1||MEDIUM
EPSS-0.19% / 40.80%
||
7 Day CHG~0.00%
Published-23 Apr, 2025 | 05:18
Updated-14 Jan, 2026 | 17:41
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has identified an issue with a specific file that the server is using. A non-admin user can modify this file to either create files or change the content of files in an admin-protected location. Axis has released a patched version for the highlighted flaw. Please refer to the Axis security advisory for more information and solution.

Action-Not Available
Vendor-axisAxis Communications AB
Product-camera_station_proAXIS Camera Station Pro
CWE ID-CWE-73
External Control of File Name or Path
Details not found