CVE-2025-12801
📋 TL;DR
A vulnerability in the rpc.mountd daemon in nfs-utils allows NFSv3 clients to bypass access restrictions defined in /etc/exports. This enables unauthorized access to subdirectories of exported directories, ignoring permissions and squash settings. Systems using NFSv3 with nfs-utils are affected.
💻 Affected Systems
- nfs-utils
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unauthorized users gain full read/write access to sensitive data on NFS shares, potentially leading to data theft, modification, or destruction.
Likely Case
Clients access directories they shouldn't, violating intended access controls and potentially exposing confidential information.
If Mitigated
Limited impact if NFS shares contain only non-sensitive data or if additional network segmentation prevents exploitation.
🎯 Exploit Status
Exploitation requires NFS client access to the server. No authentication bypass, but bypasses export restrictions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor-specific updates (e.g., Red Hat, Ubuntu)
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-12801
Restart Required: Yes
Instructions:
1. Update nfs-utils package via package manager (e.g., 'yum update nfs-utils' on RHEL). 2. Restart NFS services (e.g., 'systemctl restart nfs-server').
🔧 Temporary Workarounds
Disable NFSv3
linuxSwitch to NFSv4 only, as vulnerability is specific to NFSv3.
Edit /etc/nfs.conf or distribution-specific config to disable NFSv3 (e.g., set 'vers3=n' in /etc/nfsmount.conf).
Restart NFS services.
Restrict NFS Access
linuxLimit NFS exports to trusted networks using firewall rules.
Use iptables or firewalld to restrict NFS ports (2049, 111) to specific IPs.
🧯 If You Can't Patch
- Migrate critical data off NFS shares to alternative storage solutions.
- Implement strict network segmentation to isolate NFS servers from untrusted clients.
🔍 How to Verify
Check if Vulnerable:
Check nfs-utils version and compare with patched versions from vendor advisories.Check Version:
rpm -q nfs-utils (RHEL) or dpkg -l nfs-common (Debian/Ubuntu)Verify Fix Applied:
Verify updated nfs-utils package is installed and NFS services are restarted.📡 Detection & Monitoring
Log Indicators:
- Unusual mount requests in /var/log/messages or NFS server logs.
- Access to directories not listed in /etc/exports.
Network Indicators:
- NFSv3 traffic from unexpected sources.
- Mount protocol requests bypassing export rules.
SIEM Query:
source="nfs_logs" AND (event="mount" OR event="access") AND dest_path NOT IN exports_list🔗 References
- https://access.redhat.com/errata/RHSA-2026:3938
- https://access.redhat.com/errata/RHSA-2026:3939
- https://access.redhat.com/errata/RHSA-2026:3940
- https://access.redhat.com/errata/RHSA-2026:3941
- https://access.redhat.com/errata/RHSA-2026:3942
- https://access.redhat.com/security/cve/CVE-2025-12801
- https://bugzilla.redhat.com/show_bug.cgi?id=2413081
