CVE-2025-0928
📋 TL;DR
This vulnerability allows any authenticated Juju controller user to upload malicious agent binaries to any model or the controller itself, bypassing permission checks. This could lead to remote code execution on new or upgraded machines. All Juju deployments with versions prior to 3.6.8 or 2.9.52 are affected.
💻 Affected Systems
- Juju
📦 What is this software?
Juju by Canonical
Juju by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of Juju-managed infrastructure through poisoned binaries leading to persistent backdoors, data exfiltration, and lateral movement across cloud environments.
Likely Case
Authenticated attackers with controller access distribute malicious binaries to specific models, gaining control over machines as they're provisioned or upgraded.
If Mitigated
With proper access controls and monitoring, impact is limited to unauthorized binary uploads that can be detected before deployment.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward once authentication is obtained. The vulnerability is in the binary upload mechanism itself.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.6.8 and 2.9.52
Vendor Advisory: https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv
Restart Required: Yes
Instructions:
1. Upgrade Juju controller to version 3.6.8 or 2.9.52. 2. Restart the Juju controller service. 3. Verify all models are using the patched version.
🔧 Temporary Workarounds
Restrict Controller Access
allLimit Juju controller access to only trusted administrators using network controls and strict authentication.
Monitor Binary Uploads
allImplement logging and alerting for agent binary upload operations to detect suspicious activity.
🧯 If You Can't Patch
- Implement strict access controls to limit who can authenticate to Juju controller
- Monitor all binary upload operations and investigate any unauthorized uploads immediately
🔍 How to Verify
Check if Vulnerable:
Check Juju controller version with 'juju version' command. If version is below 3.6.8 (for 3.x) or below 2.9.52 (for 2.x), the system is vulnerable.Check Version:
juju versionVerify Fix Applied:
After upgrade, run 'juju version' to confirm version is 3.6.8 or higher (3.x) or 2.9.52 or higher (2.x). Test that authenticated users without model permissions cannot upload binaries.📡 Detection & Monitoring
Log Indicators:
- Unauthorized binary upload attempts
- Agent binary uploads from non-admin users
- Unexpected binary files in Juju storage
Network Indicators:
- Unusual outbound connections from Juju-managed machines after provisioning
- Binary downloads from unexpected sources during machine setup
SIEM Query:
source="juju-controller" AND (event="binary-upload" OR event="agent-download") AND user!="admin"