CVE-2025-32802

EPSS 0.01%
Published 28.05.2025 17:15:23
Last modified 29.05.2025 14:29:50
Source security-officer@isc.org
Teams watchlist Login
Open Login

Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea.  Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.

Affected products Warnungen 0 Metrics 2 CWE 2 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

VendorISC

≫

Product Kea

Default Statusunaffected

Version <= 2.4.1

Version 2.4.0

Status affected

Version <= 2.6.2

Version 2.6.0

Status affected

Version <= 2.7.8

Version 2.7.0

Status affected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.01%	0.002

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security-officer@isc.org	6.1	1.8	4.2	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

CWE-379 Creation of Temporary File in Directory with Insecure Permissions

The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

CWE-73 External Control of File Name or Path

The product allows user input to control or influence paths or file names that are used in filesystem operations.

https://kb.isc.org/docs/cve-2025-32802

https://nvd.nist.gov/vuln/detail/CVE-2025-32802

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-32802

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-32802

EUVD