CVE-2025-14760
📋 TL;DR
This vulnerability in the AWS SDK for C++ allows an attacker with write access to an S3 bucket to manipulate encrypted data keys stored in instruction files, potentially causing decryption to produce different plaintext than originally encrypted. It affects applications using the AWS SDK for C++ with S3 client-side encryption. The risk primarily impacts organizations using vulnerable SDK versions for S3 encryption operations.
💻 Affected Systems
- AWS SDK for C++
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Data integrity compromise where encrypted S3 objects decrypt to maliciously altered content, potentially leading to data corruption, fraud, or system compromise if decrypted data is executed or processed.
Likely Case
Data tampering where encrypted files decrypt to unexpected content, causing application errors, data inconsistencies, or minor operational disruptions.
If Mitigated
Limited impact with proper access controls and monitoring, as the attacker requires S3 bucket write permissions and the specific encryption configuration must be in use.
🎯 Exploit Status
Exploitation requires S3 bucket write permissions and knowledge of the specific encryption setup. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.11.712 or later
Vendor Advisory: https://aws.amazon.com/security/security-bulletins/AWS-2025-032/
Restart Required: Yes
Instructions:
1. Update AWS SDK for C++ to version 1.11.712 or later. 2. Recompile and redeploy affected applications. 3. Restart services using the SDK.
🔧 Temporary Workarounds
Disable instruction file encryption
allConfigure S3 encryption to store encrypted data keys in S3 metadata instead of instruction files
Modify S3 encryption configuration to use metadata storage for encrypted data keys
🧯 If You Can't Patch
- Implement strict IAM policies to limit S3 bucket write permissions
- Monitor S3 access logs for unauthorized write attempts to encrypted buckets
🔍 How to Verify
Check if Vulnerable:
Check AWS SDK for C++ version and verify if S3 client-side encryption with instruction files is configuredCheck Version:
Check SDK version in build configuration or runtime initializationVerify Fix Applied:
Confirm SDK version is 1.11.712 or later and validate encryption operations work correctly📡 Detection & Monitoring
Log Indicators:
- Unexpected S3 object modifications
- Encryption/decryption errors in application logs
- IAM permission changes for S3 buckets
Network Indicators:
- Unusual S3 API write patterns to encrypted buckets
- Increased S3 PutObject requests with encryption headers
SIEM Query:
source="aws.cloudtrail" eventName IN ("PutObject", "PutObjectAcl") AND requestParameters.bucketName="encrypted-bucket-name" AND errorCode IS NULL | stats count by userIdentity.arn