Platform
python
Component
subiquity
Fixed in
24.04.5
24.04.5
24.04.5
CVE-2025-14551 is an Information Disclosure vulnerability affecting Subiquity, the Ubuntu installer. During installation failures and subsequent bug report submissions to Launchpad, Subiquity could inadvertently include sensitive user credentials, such as plaintext Wi-Fi passwords, within the attached logs. This vulnerability impacts versions 0.0.0 through 25.10 of Subiquity, specifically Ubuntu 24.04.4. A patch is available in version 24.04.5.
CVE-2025-14551 affects Ubuntu, specifically Subiquity version 24.04.4. The vulnerability lies within the crash reporting process. During installation failure, if a user submits a bug report to Launchpad, Subiquity could inadvertently include sensitive user credentials, such as plaintext Wi-Fi passwords, in the attached logs. This poses a significant risk of credential exposure, particularly if the bug report is accessible to third parties. The severity of this vulnerability is assessed based on the potential damage that could result from the disclosure of this information, including unauthorized access to Wi-Fi networks and potentially other connected systems.
Exploitation of CVE-2025-14551 requires an Ubuntu installation failure and the user choosing to submit a bug report to Launchpad. An attacker could attempt to induce an installation failure, either by manipulating the installation process or exploiting a pre-existing vulnerability. Once the user submits the report, the attacker could access the attachments and extract the sensitive credentials. The likelihood of exploitation depends on the frequency of installation failures and the user's willingness to submit bug reports. The complexity of exploitation is relatively low, as it does not require advanced technical skills.
Exploit Status
EPSS
0.06% (17% percentile)
CISA SSVC
The solution to CVE-2025-14551 is to update to Ubuntu 24.04.5 or later. Canonical has released an update that addresses this vulnerability, preventing user credentials from being included in bug reports. It is strongly recommended that all users of Ubuntu 24.04.4 apply this update as soon as possible. Additionally, it is prudent to review any bug reports previously submitted to Launchpad from a vulnerable installation to verify if sensitive information was included. If sensitive information is found, change the affected passwords immediately. The update can be applied through Ubuntu's package manager.
Actualice Subiquity a la versión 24.04.5 o posterior para evitar la divulgación de credenciales sensibles en los informes de errores. Esto se puede hacer a través de los canales de actualización estándar de Ubuntu. Verifique la documentación de Ubuntu para obtener instrucciones específicas sobre cómo actualizar el sistema.
Vulnerability analysis and critical alerts directly to your inbox.
Review the bug report on Launchpad to see if it contains sensitive information. If so, change the affected passwords immediately.
Use Ubuntu's package manager. Run sudo apt update && sudo apt upgrade in the terminal.
No, this vulnerability is specific to Subiquity version 24.04.4.
Launchpad is a code hosting platform and bug tracking system used by Canonical for Ubuntu.
Currently, there are no specific tools to scan for this vulnerability. The best way to verify is to check the installed Subiquity version.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.