プラットフォーム
kubernetes
コンポーネント
eclipse-che-che-machine-exec
修正版
*
A critical Remote Code Execution (RCE) vulnerability has been identified in Eclipse Che's che-machine-exec component. This flaw allows unauthenticated attackers to execute arbitrary commands and steal sensitive information, such as SSH keys and tokens, from other users' Developer Workspace containers. The vulnerability affects versions prior to a currently undisclosed fixed version and is accessible through an exposed JSON-RPC / websocket API on TCP port 3333.
The impact of CVE-2025-12548 is severe. An attacker can gain complete control over user containers within the Eclipse Che environment, leading to data breaches, system compromise, and potential lateral movement within the Kubernetes cluster. Successful exploitation could result in the theft of sensitive credentials, modification of container contents, and disruption of development workflows. The unauthenticated nature of the vulnerability significantly broadens the attack surface, making it accessible to a wide range of malicious actors. This vulnerability shares similarities with other container escape vulnerabilities, highlighting the importance of robust container security practices.
This vulnerability is considered high probability due to its unauthenticated nature and the potential for widespread impact. It is likely to be added to the CISA KEV catalog. Public proof-of-concept (PoC) code is anticipated, increasing the risk of exploitation. The vulnerability was publicly disclosed on 2026-01-13.
Organizations utilizing Eclipse Che for software development and deployment, particularly those running it within Kubernetes environments, are at significant risk. Shared hosting environments or deployments with relaxed network security policies are especially vulnerable, as the unauthenticated nature of the vulnerability allows for easy exploitation.
• kubernetes / server:
kubectl get pods -l app=che-machine-exec -o jsonpath='{.items[*].status.containerStatuses[*].name}'• kubernetes / server:
kubectl describe pod <pod_name> | grep -i 'che-machine-exec'• kubernetes / server:
kubectl logs <pod_name> -c che-machine-exec -f | grep -i 'json-rpc'disclosure
エクスプロイト状況
EPSS
0.38% (59% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-12548 is to upgrade to a version of Eclipse Che that includes the fix. Since a specific fixed version is not yet available, immediate action is required. As a temporary workaround, consider isolating the che-machine-exec service within a restricted network segment, limiting access to TCP port 3333 to only authorized clients. Implement strict network policies within your Kubernetes cluster to prevent unauthorized access to the service. Monitor Kubernetes audit logs for suspicious activity related to the che-machine-exec component. After upgrading, confirm the fix by attempting to trigger the vulnerable API endpoint and verifying that command execution is blocked.
Actualice Red Hat OpenShift Dev Spaces (RHOSDS) a una versión que incluya las correcciones de seguridad proporcionadas en RHSA-2025:22620, RHSA-2025:22623 y RHSA-2025:22652. Estas actualizaciones abordan la vulnerabilidad de ejecución remota de comandos y exfiltración de secretos. Consulte los avisos de seguridad de Red Hat para obtener instrucciones detalladas sobre la actualización.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-12548 is a critical Remote Code Execution vulnerability in Eclipse Che's che-machine-exec component, allowing attackers to execute commands and steal secrets from user containers.
You are affected if you are using Eclipse Che che-machine-exec prior to the undisclosed fixed version. Immediate action is required.
Upgrade to a version of Eclipse Che that includes the fix. Until a fixed version is released, implement temporary workarounds like network isolation and strict access controls.
While active exploitation is not yet confirmed, the vulnerability's unauthenticated nature and potential impact make it a high-risk target and likely to be exploited.
Refer to the Eclipse Che security advisories page for updates and official guidance regarding CVE-2025-12548.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。