CVE-2025-23391
📋 TL;DR
A privilege escalation vulnerability in SUSE Rancher allows Restricted Administrators to change passwords of full Administrators, enabling account takeover. This affects Rancher versions 2.8.0-2.8.13, 2.9.0-2.9.7, and 2.10.0-2.10.3. Attackers with Restricted Administrator access can gain complete control of the Rancher management platform.
💻 Affected Systems
- SUSE Rancher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Rancher management platform, allowing attackers to create new admin accounts, deploy malicious workloads, access all managed clusters, and exfiltrate sensitive data.
Likely Case
Privilege escalation from Restricted Administrator to full Administrator, enabling unauthorized configuration changes, user management, and cluster control.
If Mitigated
Limited impact if proper access controls and monitoring are in place, with quick detection of unauthorized password changes.
🎯 Exploit Status
Exploitation requires existing Restricted Administrator credentials. The vulnerability is in the authorization logic, making exploitation straightforward once authenticated.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.8.14, 2.9.8, 2.10.4
Vendor Advisory: https://github.com/rancher/rancher/security/advisories/GHSA-8p83-cpfg-fj3g
Restart Required: Yes
Instructions:
1. Backup Rancher configuration and data. 2. Upgrade to patched version (2.8.14, 2.9.8, or 2.10.4). 3. Restart Rancher services. 4. Verify all components are running correctly.
🔧 Temporary Workarounds
Remove Restricted Administrator Access
allTemporarily remove or restrict Restricted Administrator roles until patching can be completed.
kubectl edit clusterrolebinding -n cattle-system
Remove or modify Restricted Administrator bindings
Enhanced Monitoring
allImplement alerts for password change events and admin role modifications.
🧯 If You Can't Patch
- Implement strict least-privilege access controls and review all Restricted Administrator accounts
- Enable comprehensive audit logging for all administrative actions and monitor for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Rancher version via UI (Global Settings -> About) or command: kubectl get settings.management.cattle.io server-version -o yamlCheck Version:
kubectl get settings.management.cattle.io server-version -o yaml | grep valueVerify Fix Applied:
Confirm version is 2.8.14, 2.9.8, or 2.10.4. Test that Restricted Administrators cannot change admin passwords.📡 Detection & Monitoring
Log Indicators:
- Unauthorized password change events
- User role escalation logs
- Admin account modification from non-admin users
Network Indicators:
- Unusual API calls to user management endpoints from Restricted Admin accounts
SIEM Query:
source="rancher" AND (event="password_change" OR event="user_update") AND user_role="restricted-admin"