CVE-2025-13193
📋 TL;DR
This vulnerability in libvirt allows unprivileged users to read snapshots of shut-down virtual machines, exposing guest OS contents. It affects systems using libvirt for virtualization management where external snapshots are created for inactive VMs. The flaw enables unauthorized information disclosure of potentially sensitive data from VM snapshots.
💻 Affected Systems
- libvirt
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Sensitive data from VM snapshots (including credentials, configuration files, application data) is exposed to any local user, potentially leading to lateral movement or data theft.
Likely Case
Unauthorized users can inspect VM snapshot contents, gaining insight into guest OS configurations, installed software, and potentially sensitive files.
If Mitigated
With proper access controls and monitoring, impact is limited to information disclosure of non-critical data from specific VM snapshots.
🎯 Exploit Status
Exploitation requires local access to the host system and knowledge of snapshot locations. No authentication bypass needed beyond local user access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor-specific updates (e.g., libvirt 9.10.0 or later for RHEL-based systems)
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-13193
Restart Required: No
Instructions:
1. Check your distribution's security advisories. 2. Update libvirt packages using your package manager. 3. For RHEL/CentOS: 'yum update libvirt'. 4. For Ubuntu/Debian: 'apt update && apt upgrade libvirt'. 5. No VM restart required, but consider restarting libvirtd service.
🔧 Temporary Workarounds
Manual permission correction
linuxManually set correct permissions on existing snapshots to prevent unauthorized access
find /var/lib/libvirt/qemu/snapshot/ -type f -name "*.img" -exec chmod 600 {} \;
find /var/lib/libvirt/qemu/snapshot/ -type f -name "*.xml" -exec chmod 600 {} \;
Disable external snapshots for inactive VMs
linuxConfigure libvirt to avoid creating external snapshots for shut-down VMs
Edit libvirt configuration to use internal snapshots or avoid snapshots for inactive VMs
🧯 If You Can't Patch
- Implement strict access controls on libvirt directories and files
- Monitor access to snapshot files and audit file permissions regularly
🔍 How to Verify
Check if Vulnerable:
Check if external snapshot files for shut-down VMs have world-readable permissions: 'ls -la /var/lib/libvirt/qemu/snapshot/*.img'Check Version:
libvirtd --versionVerify Fix Applied:
Verify snapshot files have proper permissions (600) and check libvirt version is patched📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to snapshot files in /var/lib/libvirt/qemu/snapshot/
- File permission changes on snapshot files
Network Indicators:
- N/A - Local vulnerability only
SIEM Query:
source="/var/log/secure" AND ("permission denied" AND "/var/lib/libvirt/qemu/snapshot") OR source="/var/log/audit/audit.log" AND type=SYSCALL AND exe="/usr/bin/cat" AND path="/var/lib/libvirt/qemu/snapshot/*"