Plataforma
linux
Componente
kea
Corregido en
2.4.2
2.6.3
2.7.9
CVE-2025-32801 describes a privilege escalation vulnerability within the Kea DHCP server. Attackers can exploit misconfigured API directives to load malicious hook libraries, potentially leading to unauthorized access and control. This vulnerability impacts Kea versions 2.4.0 through 2.7.8, and a fix is available in version 2.7.9.
The primary impact of CVE-2025-32801 is the potential for an attacker to gain root privileges on the system hosting the Kea DHCP server. This is particularly concerning because many Kea deployments run as root and expose API entry points without proper security controls. Successful exploitation could allow an attacker to modify DHCP configurations, redirect network traffic, compromise other systems on the network, and potentially achieve complete control over the affected server. The ease of exploitation is amplified by the default insecure configurations often found in Kea installations, such as placing control sockets in accessible locations.
CVE-2025-32801 was publicly disclosed on 2025-05-28. The vulnerability's severity is rated HIGH with a CVSS score of 7.8. No public proof-of-concept (PoC) code has been released as of this writing, but the ease of exploitation due to default configurations raises concerns about potential exploitation in the wild. It is not currently listed on the CISA KEV catalog.
Organizations running Kea DHCP servers in environments with default configurations, particularly those running as root and exposing API endpoints without proper access controls, are at significant risk. Shared hosting environments where multiple users share a Kea instance are also vulnerable, as a compromised user could potentially exploit the API to escalate privileges.
• linux / server:
journalctl -u kea -g 'malicious hook library'• linux / server:
lsof -i :67 -p $(pidof kea)• linux / server:
ps aux | grep kea | grep -i hookdisclosure
Estado del Exploit
EPSS
0.02% (6% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2025-32801 is to upgrade to Kea version 2.7.9 or later. Prior to upgrading, assess the impact on dependent systems and plan a rollback strategy if necessary. Review Kea's API configuration and restrict access to authorized clients only. Ensure control sockets are not accessible from untrusted networks. Implement network segmentation to limit the blast radius of a potential compromise. Consider using a Web Application Firewall (WAF) to filter malicious requests targeting the Kea API. After upgrading, verify the fix by attempting to load a malicious hook library via the API and confirming that the attempt is denied.
Actualice Kea a una versión posterior a 2.7.8. Asegúrese de que la configuración de Kea sea segura, incluyendo la protección de los puntos de entrada de la API y la configuración de permisos seguros para los sockets de control. Revise la documentación de ISC para obtener orientación específica sobre la configuración segura de Kea.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2025-32801 is a vulnerability in Kea DHCP Server allowing attackers to load malicious hook libraries, potentially gaining root access. It affects versions 2.4.0–2.7.8.
If you are running Kea DHCP Server versions 2.4.0 through 2.7.8, you are potentially affected. Review your configuration and upgrade as soon as possible.
Upgrade to Kea DHCP Server version 2.7.9 or later. Secure your API endpoints and control sockets to prevent unauthorized access.
While no public exploits are currently known, the ease of exploitation due to default configurations raises concerns about potential exploitation in the wild.
Refer to the official Kea project website and security advisories for the latest information and updates regarding CVE-2025-32801.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.