CVE-2025-13609
📋 TL;DR
This vulnerability in keylime allows attackers to impersonate legitimate agents by registering a new agent with a different TPM device while claiming an existing agent's UUID. This identity overwrite enables bypassing security controls and potentially compromising trusted computing environments. Organizations using keylime for remote attestation and integrity verification are affected.
💻 Affected Systems
- keylime
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of trusted computing infrastructure, allowing attackers to bypass remote attestation, inject malicious code into trusted systems, and establish persistent access to sensitive environments.
Likely Case
Unauthorized access to systems protected by keylime, potential data exfiltration, and compromise of integrity verification mechanisms leading to false trust in compromised systems.
If Mitigated
Limited impact with proper network segmentation, monitoring, and additional authentication layers preventing successful exploitation despite the vulnerability.
🎯 Exploit Status
Requires ability to register new agents and knowledge of existing agent UUIDs; TPM device access needed for registration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories for specific patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:23201
Restart Required: Yes
Instructions:
1. Update keylime packages using your distribution's package manager. 2. Restart keylime services. 3. Verify agent registrations are legitimate.
🔧 Temporary Workarounds
Restrict Agent Registration
linuxLimit who can register new agents through network controls and authentication
# Configure firewall rules to restrict access to keylime registration endpoints
# Implement additional authentication for agent registration
Monitor Agent UUID Changes
allSet up alerts for unexpected agent UUID modifications or duplicate UUIDs
# Monitor keylime logs for registration events
# Alert on UUID changes for existing agents
🧯 If You Can't Patch
- Implement strict network segmentation to isolate keylime infrastructure
- Enable detailed logging and monitoring for all agent registration activities
🔍 How to Verify
Check if Vulnerable:
Check keylime version and compare against patched versions in Red Hat advisoriesCheck Version:
rpm -q keylime || keylime_verifier --version || python3 -c "import keylime; print(keylime.__version__)"Verify Fix Applied:
Verify keylime version is updated and test agent registration with duplicate UUIDs (should be rejected)📡 Detection & Monitoring
Log Indicators:
- Multiple agents with same UUID
- Unexpected agent registration events
- Agent UUID changes without proper authorization
Network Indicators:
- Unusual registration requests to keylime endpoints
- Traffic from unauthorized sources to registration ports
SIEM Query:
source="keylime" AND ("register" OR "uuid") | stats count by uuid | where count > 1🔗 References
- https://access.redhat.com/errata/RHSA-2025:23201
- https://access.redhat.com/errata/RHSA-2025:23210
- https://access.redhat.com/errata/RHSA-2025:23628
- https://access.redhat.com/errata/RHSA-2025:23735
- https://access.redhat.com/errata/RHSA-2025:23852
- https://access.redhat.com/errata/RHSA-2026:0429
- https://access.redhat.com/security/cve/CVE-2025-13609
- https://bugzilla.redhat.com/show_bug.cgi?id=2416761
