CVE-2025-23015 – This vulnerability allows users with MODIFY per... (How to Fix)

Q: What is the severity of CVE-2025-23015?

CVE-2025-23015 has a CVSS score of 8.8 (HIGH). This vulnerability allows users with MODIFY permission on all keyspaces in Apache Cassandra to escalate privileges to superuser by performing unsafe actions on system resources. It affects all Apache Cassandra deployments running vulnerable versions (through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2). Organizations granting broad data modification permissions are particularly at risk.

📋 TL;DR

This vulnerability allows users with MODIFY permission on all keyspaces in Apache Cassandra to escalate privileges to superuser by performing unsafe actions on system resources. It affects all Apache Cassandra deployments running vulnerable versions (through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2). Organizations granting broad data modification permissions are particularly at risk.

💻 Affected Systems

Products:

Apache Cassandra

Versions: Through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2

Operating Systems: All operating systems running Apache Cassandra

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when users have been granted MODIFY permission on all keyspaces. Default configurations typically don't grant this permission.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete cluster compromise where an attacker gains superuser privileges, enabling full control over all data, configuration, and potentially lateral movement to connected systems.

🟠

Likely Case

Privilege escalation leading to unauthorized data access, modification, or deletion across all keyspaces in the Cassandra cluster.

🟢

If Mitigated

Limited impact if proper least-privilege access controls are implemented and MODIFY permission on all keyspaces is not granted to untrusted users.

🌐 Internet-Facing: MEDIUM - While Cassandra clusters are typically internal, internet-facing management interfaces or misconfigurations could expose this vulnerability.

🏢 Internal Only: HIGH - Most Cassandra deployments are internal, and users with MODIFY permission on all keyspaces could exploit this to gain superuser access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authenticated access with MODIFY permission on all keyspaces. Exploitation involves specific unsafe actions against system resources.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3

Vendor Advisory: https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s

Restart Required: No

Instructions:

1. Identify your Cassandra version using 'nodetool version'. 2. Download and install the patched version from Apache Cassandra downloads. 3. Follow standard Cassandra upgrade procedures for your version. 4. Verify the upgrade with 'nodetool version'.

🔧 Temporary Workarounds

Restrict MODIFY permissions

all

Remove MODIFY permission on all keyspaces from users who don't absolutely need it. Implement least-privilege access controls.

REVOKE MODIFY ON ALL KEYSPACES FROM username;
GRANT MODIFY ON KEYSPACE specific_keyspace TO username;

🧯 If You Can't Patch

Immediately audit and remove MODIFY permission on all keyspaces from all non-essential users
Implement network segmentation to isolate Cassandra clusters and restrict access to trusted users only

🔍 How to Verify

Check if Vulnerable:

Check Cassandra version with 'nodetool version'. If version is 3.0.30 or earlier, 3.11.17 or earlier, 4.0.15 or earlier, 4.1.7 or earlier, or 5.0.2 or earlier, you are vulnerable.

Check Version:

nodetool version

Verify Fix Applied:

After upgrading, run 'nodetool version' to confirm you're running 3.0.31+, 3.11.18+, 4.0.16+, 4.1.8+, or 5.0.3+.

📡 Detection & Monitoring

Log Indicators:

Unusual privilege escalation attempts in Cassandra system.log
Multiple MODIFY permission grants on all keyspaces
Suspicious system resource access patterns

Network Indicators:

Unusual CQL traffic patterns from users with MODIFY permissions
Multiple privilege-related queries from single sources

SIEM Query:

source="cassandra.log" AND ("MODIFY ON ALL KEYSPACES" OR "privilege escalation" OR "system resource access")

📊 Metadata

CVE ID: CVE-2025-23015

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-267

EPSS Score: 0.26% exploit probability (48.9th percentile)

Published: February 4, 2025

Last Updated: July 14, 2025

🔗 References

https://lists.apache.org/thread/jmks4msbgkl65ssg69x728sv1m0hwz3s Issue Tracking,Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/02/03/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2025/02/11/1 Mailing List,Third Party Advisory
https://security.netapp.com/advisory/ntap-20250214-0006/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-23015, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Cassandra by Apache

Cassandra by Apache

Cassandra by Apache

Cassandra by Apache

Cassandra by Apache

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict MODIFY permissions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities