CVE-2025-32801
📋 TL;DR
CVE-2025-32801 allows attackers to load malicious hook libraries into Kea DHCP servers via configuration or API directives. This can lead to remote code execution, particularly dangerous since Kea often runs with root privileges. Affected are Kea DHCP servers running vulnerable versions with default or insecure configurations.
💻 Affected Systems
- ISC Kea DHCP Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level code execution, allowing complete control of the DHCP server and potentially lateral movement to other systems.
Likely Case
Unauthorized code execution with root privileges, enabling data theft, service disruption, or installation of persistent backdoors.
If Mitigated
Limited impact with proper API security and non-root operation, potentially only configuration manipulation without code execution.
🎯 Exploit Status
Exploitation requires access to Kea configuration or API, but default insecure configurations make this easier.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.4.2, 2.6.3, 2.7.9 or later
Vendor Advisory: https://kb.isc.org/docs/cve-2025-32801
Restart Required: Yes
Instructions:
1. Download patched version from ISC website. 2. Stop Kea service. 3. Install updated package. 4. Restart Kea service. 5. Verify version with 'kea-dhcp4 -V' or 'kea-dhcp6 -V'.
🔧 Temporary Workarounds
Secure API Configuration
allConfigure API authentication and restrict access to trusted networks only.
Edit kea.conf to add 'authentication' section with strong credentials
Set 'trusted' to specific IP addresses
Run as Non-Root User
linuxConfigure Kea to run with reduced privileges instead of root.
Create dedicated kea user: 'useradd -r -s /sbin/nologin kea'
Change ownership: 'chown -R kea:kea /var/lib/kea'
Update systemd/service file to run as kea user
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Kea servers from untrusted networks
- Enable comprehensive logging and monitoring for suspicious API/config changes
🔍 How to Verify
Check if Vulnerable:
Check Kea version with 'kea-dhcp4 -V' or 'kea-dhcp6 -V' and compare against affected ranges. Also check if running as root and API is unsecured.Check Version:
kea-dhcp4 -V 2>&1 | head -1Verify Fix Applied:
Verify version is 2.4.2+, 2.6.3+, or 2.7.9+ and confirm API authentication is configured.📡 Detection & Monitoring
Log Indicators:
- Unexpected hook library loads
- Unauthorized API access attempts
- Configuration changes from untrusted sources
Network Indicators:
- Unusual outbound connections from Kea server
- Traffic to unexpected hook library locations
SIEM Query:
source="kea" AND (event="hook_load" OR event="api_access" OR event="config_change")