CVE-2025-0928

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Juju versions prior to 3.6.8 Juju versions prior to 2.9.52

Description: The issue allows any authenticated controller user to upload arbitrary agent binaries to any model or to the controller itself without verifying model membership or requiring explicit permissions. This enables the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.

Recommendations: For versions prior to 3.6.8, update to version 3.6.8 or later. For versions prior to 2.9.52, update to version 2.9.52 or later.

Exploit

Fix

RCE

Improper Authorization

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-285CWE-434

Related Identifiers

CVE-2025-0928

GHSA-4VC8-WVHW-M5GV

GO-2025-3805

OPENSUSE-SU-2025:15405-1

Affected Products

Juju

CVE-2025-0928

Weakness Enumeration

Related Identifiers

Affected Products

References · 70