PT-2025-44765 · Raspberry Pi Foundation · Raspberry Pi Imager
Published
2025-11-03
·
Updated
2025-11-03
·
CVE-2025-60892
CVSS v3.1
6.8
Medium
| Vector | AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Raspberry Pi Imager version 1.9.6
Description
An issue exists in the OS customization feature of Raspberry Pi Imager. The 'public-key authentication' setting unintentionally re-adds a user's
id rsa.pub key from their local Windows machine to the authorized keys file on the Raspberry Pi, even after the user deletes the key through the user interface. This could allow an attacker to use a different key to login to the device, creating an unintended attack surface.Recommendations
Update to a newer version of Raspberry Pi Imager that contains a fix for this vulnerability.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Raspberry Pi Imager