PT-2025-23104 · Kea+2 · Kea+2
Published
2025-04-10
·
Updated
2026-03-26
·
CVE-2025-32801
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Kea versions 2.4.0 through 2.4.1
Kea versions 2.6.0 through 2.6.2
Kea versions 2.7.0 through 2.7.8
Description
Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
Recommendations
For Kea versions 2.4.0 through 2.4.1, update to a version outside of this range to mitigate the risk.
For Kea versions 2.6.0 through 2.6.2, update to a version outside of this range to mitigate the risk.
For Kea versions 2.7.0 through 2.7.8, update to a version outside of this range to mitigate the risk.
As a temporary workaround, consider restricting access to the API entry points and securing the control sockets to minimize the risk of exploitation.
Fix
LPE
RCE
Untrusted Search Path
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Kea
Red Os