CVE-2025-52890
📋 TL;DR
This vulnerability in Incus versions 6.12 and 6.13 allows attackers to bypass MAC and IP filtering security options when using ACLs on bridged devices. This enables ARP spoofing and full spoofing of other VMs/containers on the same bridge. Users running affected Incus versions with bridge networking and ACLs are impacted.
💻 Affected Systems
- Incus
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can fully impersonate other VMs/containers on the same bridge, intercepting or manipulating all network traffic, potentially leading to data theft, lateral movement, or denial of service.
Likely Case
ARP spoofing attacks allowing traffic interception between VMs/containers on the same bridge, potentially capturing sensitive data or credentials.
If Mitigated
Limited to isolated bridge networks without sensitive traffic or where affected security options aren't enabled.
🎯 Exploit Status
Exploitation requires access to a container/VM on the affected bridge and knowledge of the network configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after commit 254dfd2483ab8de39b47c2258b7f1cf0759231c8
Vendor Advisory: https://github.com/lxc/incus/security/advisories/GHSA-p7fw-vjjm-2rwp
Restart Required: Yes
Instructions:
1. Update Incus to version 6.14 or later. 2. Restart Incus service: 'sudo systemctl restart incus'. 3. Restart affected containers/VMs using bridged networking with ACLs.
🔧 Temporary Workarounds
Disable ACLs on bridged devices
linuxRemove ACL configurations from devices connected to bridges until patched.
incus config device remove <instance> <device> acl
Disable affected security options
linuxTemporarily disable security.mac_filtering, security.ipv4_filtering, and security.ipv6_filtering on bridges.
incus network set <bridge> security.mac_filtering=false
incus network set <bridge> security.ipv4_filtering=false
incus network set <bridge> security.ipv6_filtering=false
🧯 If You Can't Patch
- Isolate affected bridge networks from sensitive systems
- Implement network monitoring for ARP spoofing and unusual MAC/IP changes
🔍 How to Verify
Check if Vulnerable:
Check Incus version: 'incus --version'. If version is 6.12 or 6.13 and using ACLs on bridged devices with security filtering enabled, you are vulnerable.Check Version:
incus --versionVerify Fix Applied:
Verify Incus version is 6.14 or later: 'incus --version'. Check that nftables rules properly implement security filtering on bridged devices with ACLs.📡 Detection & Monitoring
Log Indicators:
- Unusual ARP traffic patterns
- MAC address changes on bridge interfaces
- Failed security filtering attempts
Network Indicators:
- ARP spoofing detection alerts
- Duplicate MAC addresses on bridge
- Unexpected IP-MAC pairings
SIEM Query:
source="incus" AND (event="arp_spoofing" OR event="mac_violation" OR event="ip_filter_fail")