CVE-2024-6174 – Cloud-init grants root access to a hardcoded UR... (How to Fix)

Q: What is the severity of CVE-2024-6174?

CVE-2024-6174 has a CVSS score of 8.8 (HIGH). Cloud-init grants root access to a hardcoded URL with a local IP address when detecting a non-x86 platform. This vulnerability affects systems using cloud-init on non-x86 architectures (like ARM, PowerPC) that haven't disabled platform enumeration in default configurations.

📋 TL;DR

Cloud-init grants root access to a hardcoded URL with a local IP address when detecting a non-x86 platform. This vulnerability affects systems using cloud-init on non-x86 architectures (like ARM, PowerPC) that haven't disabled platform enumeration in default configurations.

💻 Affected Systems

Products:

cloud-init

Versions: Versions before 25.1.3

Operating Systems: Linux distributions using cloud-init

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems running on non-x86 architectures (ARM, PowerPC, etc.) where platform enumeration is enabled.

📦 What is this software?

Cloud Init by Canonical

View all CVEs affecting Cloud Init →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could gain root access to the system by exploiting the hardcoded URL, potentially leading to complete system compromise, data theft, and lateral movement within the environment.

🟠

Likely Case

Unauthorized users gaining administrative access to cloud instances, allowing them to install malware, exfiltrate data, or disrupt services.

🟢

If Mitigated

Limited impact if platform enumeration is disabled or systems are properly segmented, though the vulnerability still exists in the codebase.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to be able to reach the local IP address and trigger the platform detection mechanism.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 25.1.3

Vendor Advisory: https://github.com/canonical/cloud-init/releases/tag/25.1.3

Restart Required: No

Instructions:

1. Update cloud-init to version 25.1.3 or later using your package manager. 2. For Ubuntu/Debian: sudo apt update && sudo apt install cloud-init. 3. For RHEL/CentOS: sudo yum update cloud-init. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable platform enumeration

linux

Modify cloud-init configuration to disable platform detection which triggers the vulnerability

echo 'disable_platform_detection: true' | sudo tee -a /etc/cloud/cloud.cfg.d/99-disable-platform.cfg
sudo cloud-init clean --logs

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected systems from untrusted networks
Monitor for unusual root access patterns or connections to local IP addresses on non-x86 systems

🔍 How to Verify

Check if Vulnerable:

Check cloud-init version and system architecture: cloud-init --version && uname -m

Check Version:

cloud-init --version

Verify Fix Applied:

Verify cloud-init version is 25.1.3 or later: cloud-init --version

📡 Detection & Monitoring

Log Indicators:

Unusual root access events in auth.log/syslog
Cloud-init logs showing platform detection on non-x86 systems

Network Indicators:

Connections to local IP addresses from cloud-init processes
Unexpected network traffic to hardcoded URLs

SIEM Query:

source="cloud-init" AND ("platform detection" OR "non-x86")

📊 Metadata

CVE ID: CVE-2024-6174

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-287

EPSS Score: 0.03% exploit probability (6.7th percentile)

Published: June 26, 2025

Last Updated: August 26, 2025

🔗 References

https://github.com/canonical/cloud-init/releases/tag/25.1.3 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-6174, you might also want to check these: