PT-2025-23105 · Kea+2 · Kea+2
Published
2025-05-28
·
Updated
2026-03-26
·
CVE-2025-32802
CVSS v3.1
6.1
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
Name of the Vulnerable Software and Affected Versions
Kea versions 2.4.0 through 2.4.1
Kea versions 2.6.0 through 2.6.2
Kea versions 2.7.0 through 2.7.8
Description
Kea configuration and API directives can be used to overwrite arbitrary files, subject to permissions granted to Kea. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
Recommendations
For versions 2.4.0 through 2.4.1, update to a version outside of this range to mitigate the risk.
For versions 2.6.0 through 2.6.2, update to a version outside of this range to mitigate the risk.
For versions 2.7.0 through 2.7.8, update to a version outside of this range to mitigate the risk.
As a temporary workaround, consider restricting access to the API entry points and control sockets to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Debian
Kea
Red Os