CVE-2025-5459 – This vulnerability allows authenticated users w... (How to Fix)

Q: What is the severity of CVE-2025-5459?

CVE-2025-5459 has a CVSS score of 8.8 (HIGH). This vulnerability allows authenticated users with node group editing permissions in Puppet Enterprise to execute arbitrary commands as root on the primary host by exploiting improper neutralization of special elements in OS commands. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3.

📋 TL;DR

This vulnerability allows authenticated users with node group editing permissions in Puppet Enterprise to execute arbitrary commands as root on the primary host by exploiting improper neutralization of special elements in OS commands. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3.

💻 Affected Systems

Products:

Puppet Enterprise

Versions: 2018.1.8 through 2023.8.3 and 2025.3

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: Requires user with node group editing permissions; default installations may grant these permissions to some administrative users.

📦 What is this software?

Puppet Enterprise by Puppet

View all CVEs affecting Puppet Enterprise →

Puppet Enterprise by Puppet

View all CVEs affecting Puppet Enterprise →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the Puppet Enterprise primary server, allowing complete control over managed infrastructure, data exfiltration, and lateral movement to all managed nodes.

🟠

Likely Case

Privilege escalation from authenticated user to root on the primary host, enabling configuration changes, credential theft, and persistence mechanisms.

🟢

If Mitigated

Limited impact if proper access controls restrict node group editing permissions to trusted administrators only.

🌐 Internet-Facing: LOW (Puppet Enterprise management interfaces are typically internal)

🏢 Internal Only: HIGH (Internal attackers with node group permissions can achieve root access)

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with specific permissions and knowledge of the vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2023.8.4 or 2025.4.0

Vendor Advisory: https://portal.perforce.com/s/detail/a91PA000001SiDdYAK

Restart Required: Yes

Instructions:

1. Backup your Puppet Enterprise configuration and data. 2. Upgrade to Puppet Enterprise 2023.8.4 or 2025.4.0 using the official upgrade documentation. 3. Restart Puppet Enterprise services after upgrade.

🔧 Temporary Workarounds

Restrict Node Group Permissions

all

Limit node group editing permissions to only essential administrators to reduce attack surface.

🧯 If You Can't Patch

Review and restrict user permissions for node group editing to minimal necessary personnel
Implement network segmentation to isolate Puppet Enterprise management interfaces from general user networks

🔍 How to Verify

Check if Vulnerable:

Check Puppet Enterprise version via 'puppet enterprise version' command or web console

Check Version:

puppet enterprise version

Verify Fix Applied:

Confirm version is 2023.8.4 or 2025.4.0 using 'puppet enterprise version' command

📡 Detection & Monitoring

Log Indicators:

Unusual node group modifications
Suspicious command execution in Puppet logs
Authentication events from unexpected users

Network Indicators:

Unexpected outbound connections from Puppet primary server

SIEM Query:

source="puppet" AND (event="node_group_edit" OR event="command_execution")

📊 Metadata

CVE ID: CVE-2025-5459

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.06% exploit probability (17.4th percentile)

Published: June 26, 2025

Last Updated: October 14, 2025

🔗 References

https://portal.perforce.com/s/detail/a91PA000001SiDdYAK Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-5459, you might also want to check these: