CVE-2025-12548
📋 TL;DR
This vulnerability in Eclipse Che che-machine-exec allows unauthenticated attackers to execute arbitrary commands and steal secrets (SSH keys, tokens) from other users' Developer Workspace containers via an exposed JSON-RPC/websocket API on port 3333. It affects Eclipse Che deployments with the vulnerable component exposed.
💻 Affected Systems
- Eclipse Che
- Red Hat OpenShift Dev Spaces
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all Developer Workspace containers, exfiltration of all secrets, and persistent backdoor installation across the Eclipse Che environment.
Likely Case
Unauthenticated attackers executing commands in containers, stealing SSH keys and authentication tokens, and potentially pivoting to other systems.
If Mitigated
Limited impact if network access to port 3333 is restricted and proper authentication controls are implemented.
🎯 Exploit Status
The vulnerability requires network access to port 3333 but no authentication, making exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Eclipse Che 7.94.0+, Red Hat OpenShift Dev Spaces 3.15+
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-12548
Restart Required: Yes
Instructions:
1. Update Eclipse Che to version 7.94.0 or later. 2. Update Red Hat OpenShift Dev Spaces to version 3.15 or later. 3. Restart all affected services and containers.
🔧 Temporary Workarounds
Block Port 3333
linuxRestrict network access to the vulnerable port 3333 using firewall rules.
sudo iptables -A INPUT -p tcp --dport 3333 -j DROP
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port port="3333" protocol="tcp" reject'
sudo firewall-cmd --reload
Network Segmentation
allIsolate Eclipse Che deployment from untrusted networks using network policies or segmentation.
🧯 If You Can't Patch
- Implement strict network access controls to block all traffic to port 3333 from untrusted sources.
- Monitor network traffic to port 3333 for suspicious activity and implement intrusion detection rules.
🔍 How to Verify
Check if Vulnerable:
Check if port 3333 is listening and accessible: 'sudo netstat -tlnp | grep 3333' or 'ss -tlnp | grep 3333'. If accessible and running vulnerable Eclipse Che version, system is vulnerable.Check Version:
For Eclipse Che: Check deployment manifests or 'kubectl describe pod <che-pod> | grep Image'. For OpenShift Dev Spaces: 'oc get devspaces' or check operator version.Verify Fix Applied:
Verify Eclipse Che version is 7.94.0+ or Red Hat OpenShift Dev Spaces is 3.15+ using deployment configuration or 'kubectl get pods' with appropriate labels.📡 Detection & Monitoring
Log Indicators:
- Unusual process execution in containers
- Unexpected network connections to/from port 3333
- Authentication failures or bypass attempts on JSON-RPC API
Network Indicators:
- Unusual traffic to TCP port 3333 from external IPs
- JSON-RPC requests to che-machine-exec endpoint without authentication
- Websocket connections to port 3333 with command execution patterns
SIEM Query:
source_port=3333 OR dest_port=3333 AND (protocol="websocket" OR http_user_agent CONTAINS "JSON-RPC")