CVE-2025-49809
📋 TL;DR
CVE-2025-49809 is a privilege escalation vulnerability in mtr (network diagnostic tool) where the MTR_PACKET environment variable can be abused to execute arbitrary programs when mtr runs with elevated privileges. This affects users who run mtr with sudo or setuid permissions, particularly on macOS systems where Homebrew installs mtr without setuid but users often configure sudo rules for it.
💻 Affected Systems
- mtr
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains root privileges by exploiting mtr when executed with sudo or setuid permissions, leading to complete system compromise.
Likely Case
Privileged user inadvertently runs mtr with sudo, allowing local attacker to execute arbitrary code with elevated privileges.
If Mitigated
Limited to unprivileged user context with no sudo access to mtr, resulting in no privilege escalation.
🎯 Exploit Status
Exploitation requires local access and ability to set environment variables before mtr execution with elevated privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in commit 5226f105f087c29d3cfad9f28000e7536af91ac6 and later versions
Vendor Advisory: https://github.com/traviscross/mtr/blob/master/SECURITY
Restart Required: No
Instructions:
1. Update mtr to version after commit 5226f105f087c29d3cfad9f28000e7536af91ac6
2. On Linux: Use package manager (apt/yum) to update
3. On macOS: Update via Homebrew or compile from patched source
🔧 Temporary Workarounds
Remove sudo privileges for mtr
linuxRemove mtr from sudoers configuration to prevent privilege escalation
sudo visudo
Remove any lines granting sudo access to mtr
Unset MTR_PACKET environment variable
allClear the vulnerable environment variable before running mtr
unset MTR_PACKET
mtr [destination]
🧯 If You Can't Patch
- Remove sudo access for mtr from all user accounts
- Run mtr only with standard user privileges, never with sudo or setuid
🔍 How to Verify
Check if Vulnerable:
Check if mtr version is 0.95 or earlier and if it has sudo privileges: 'sudo -l' to see sudo rules, 'ls -l $(which mtr)' to check setuid bitCheck Version:
mtr --versionVerify Fix Applied:
Verify mtr version is after commit 5226f105f087c29d3cfad9f28000e7536af91ac6 or test that MTR_PACKET variable no longer triggers execution📡 Detection & Monitoring
Log Indicators:
- Sudo logs showing mtr execution with elevated privileges
- Unusual process execution from mtr context
Network Indicators:
- None - local privilege escalation only
SIEM Query:
Process creation where parent process is mtr and command line contains unexpected executable paths