CVE-2025-67859 describes an Improper Authentication vulnerability discovered in TLP, a tool for managing power profiles. This flaw allows local users to arbitrarily control the daemon’s log settings and the power profile in use, potentially leading to system instability or unauthorized access to sensitive information. The vulnerability impacts TLP versions 1.9 through 1.9.1, and a fix is available in version 1.9.1.
The primary impact of CVE-2025-67859 lies in the ability of a local attacker to manipulate TLP's configuration. By exploiting this vulnerability, an attacker could alter the system's power profile, potentially causing performance issues, unexpected shutdowns, or even data loss. Furthermore, the attacker can modify the daemon’s log settings, either hiding their activity or injecting malicious log entries to obscure their actions. This could be used to cover up other malicious activities on the system. The blast radius is limited to the local machine running TLP, but the potential for disruption and data compromise warrants immediate attention.
CVE-2025-67859 was publicly disclosed on 2026-01-14. There is currently no indication of active exploitation or a KEV listing. No public proof-of-concept exploits have been released. The vulnerability's reliance on local access suggests a lower probability of widespread exploitation compared to remotely exploitable vulnerabilities.
Systems running TLP versions 1.9 and 1.9.1 are at risk, particularly those where the TLP process is not adequately secured and local user access is not strictly controlled. Environments where TLP is used for critical power management tasks are especially vulnerable.
disclosure
エクスプロイト状況
EPSS
0.01% (1% パーセンタイル)
CISA SSVC
The recommended mitigation for CVE-2025-67859 is to immediately upgrade TLP to version 1.9.1 or later. If upgrading is not immediately feasible due to compatibility concerns or system downtime requirements, consider restricting access to the TLP configuration files and processes to only authorized users. While a direct WAF or proxy rule is unlikely to be effective for this local vulnerability, auditing TLP’s configuration files for unauthorized modifications can provide an early warning sign of compromise. There are no specific Sigma or YARA patterns available at this time, but monitoring system logs for unusual TLP activity is advised.
TLP をバージョン 1.9.1 以降にアップデートしてください。これにより、認証の脆弱性が修正され、ローカルユーザーが電力プロファイルとデーモンのログ設定を制御できなくなります。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-67859 is a vulnerability in TLP versions 1.9–1.9.1 that allows local users to control power profiles and log settings. Its CVSS severity is pending evaluation.
You are affected if you are running TLP versions 1.9 or 1.9.1. Upgrade to 1.9.1 to mitigate the risk.
Upgrade TLP to version 1.9.1 or later. If upgrading is not possible, restrict access to TLP configuration files.
There is currently no evidence of active exploitation of CVE-2025-67859.
Refer to the TLP project's official website or security mailing list for the advisory related to CVE-2025-67859.