平台
go
组件
github.com/openbao/openbao
修复版本
2.3.3
2.3.2
0.0.0-20250806194004-a14053c9679d
CVE-2025-54997 describes a critical Remote Code Execution (RCE) vulnerability discovered in the OpenBao Operator, a Go-based component. This vulnerability allows a privileged attacker to execute arbitrary code on the underlying host, potentially leading to complete system compromise. The vulnerability impacts versions prior to v2.3.2. A fix has been released in version 0.0.0-20250806194004-a14053c9679d.
The impact of CVE-2025-54997 is severe due to the RCE nature of the vulnerability. A successful exploit allows an attacker with privileged access to the OpenBao Operator to execute arbitrary commands on the host system. This could lead to data theft, system takeover, and potential lateral movement within the network. The attacker could install malware, modify system configurations, or disrupt services. The blast radius extends to any systems accessible from the compromised host, making this a high-priority vulnerability to address.
CVE-2025-54997 was published on 2025-08-11. The vulnerability's severity is considered critical due to the potential for remote code execution. Public proof-of-concept (POC) code is currently unknown, but the high CVSS score suggests a potential for rapid exploitation. It is not currently listed on CISA KEV as of this writing.
Organizations deploying OpenBao Operator in production environments, particularly those with privileged access controls or shared infrastructure, are at significant risk. Environments utilizing older, unpatched versions of the OpenBao Operator are especially vulnerable.
• linux / server:
journalctl -u openbao -g 'error' -g 'critical'• go / supply-chain: Inspect the OpenBao Operator's deployment manifests for any unusual or suspicious configurations that could facilitate privilege escalation. • generic web: Monitor access logs for requests targeting the OpenBao Operator's API endpoints, particularly those related to privileged operations.
disclosure
漏洞利用状态
EPSS
0.15% (36% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-54997 is to upgrade the OpenBao Operator to version 0.0.0-20250806194004-a14053c9679d or later. If immediate upgrade is not possible due to compatibility issues, consider implementing strict access controls to the OpenBao Operator, limiting privileged access to only authorized personnel. Review and audit existing configurations to identify any potential misconfigurations that could exacerbate the vulnerability. Monitor system logs for suspicious activity related to the OpenBao Operator. After upgrade, confirm the fix by attempting to trigger the vulnerable code path and verifying that it is no longer exploitable.
将 OpenBao 更新到版本 2.3.2 或更高版本。 另外,可以使用显式拒绝策略阻止对 sys/audit/* 端点的访问。 请注意,root 用户无法通过这种方式进行限制。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-54997 is a critical Remote Code Execution vulnerability affecting versions of OpenBao Operator before v2.3.2, allowing attackers to execute code on the host system.
If you are using OpenBao Operator versions prior to v2.3.2, you are vulnerable to this RCE vulnerability. Check your deployment version immediately.
Upgrade to version 0.0.0-20250806194004-a14053c9679d or later to patch the vulnerability. Implement access controls as a temporary mitigation.
While no active exploitation has been publicly confirmed, the high CVSS score and RCE nature suggest a potential for rapid exploitation.
Refer to the OpenBao project's official advisory channels for the most up-to-date information and security announcements.
上传你的 go.mod 文件,立即知道是否受影响。