CVE-2025-54882 – Himmelblau versions 0.8.0-0.9.21 and 1.0.0-beta... (How to Fix)

Q: What is the severity of CVE-2025-54882?

CVE-2025-54882 has a CVSS score of 7.1 (HIGH). Himmelblau versions 0.8.0-0.9.21 and 1.0.0-beta-1.1.0 store Kerberos credential caches with world-readable permissions, allowing any local user to access sensitive authentication tokens. This affects organizations using Himmelblau for Azure Entra ID and Intune interoperability. Attackers could potentially steal credentials and impersonate users or services.

📋 TL;DR

Himmelblau versions 0.8.0-0.9.21 and 1.0.0-beta-1.1.0 store Kerberos credential caches with world-readable permissions, allowing any local user to access sensitive authentication tokens. This affects organizations using Himmelblau for Azure Entra ID and Intune interoperability. Attackers could potentially steal credentials and impersonate users or services.

💻 Affected Systems

Products:

Himmelblau

Versions: 0.8.0 through 0.9.21, 1.0.0-beta through 1.1.0

Operating Systems: Linux, Windows, Any OS running Himmelblau

Default Config Vulnerable: ⚠️ Yes

Notes: All installations within affected version ranges are vulnerable by default. The vulnerability exists in how Himmelblau creates and stores Kerberos credential cache files.

📦 What is this software?

Himmelblau by Himmelblau Idm

View all CVEs affecting Himmelblau →

Himmelblau by Himmelblau Idm

View all CVEs affecting Himmelblau →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to Kerberos Ticket Granting Tickets (TGTs), enabling them to impersonate users, access Azure/Intune resources, and potentially escalate privileges across the hybrid cloud environment.

🟠

Likely Case

Local attackers or malicious users on the same system read cached credentials and use them for unauthorized access to Azure/Intune-managed resources.

🟢

If Mitigated

With proper file permissions, only authorized users can access credential caches, preventing credential theft even if other vulnerabilities exist.

🌐 Internet-Facing: LOW - This is a local file permission issue requiring access to the host system where Himmelblau runs.

🏢 Internal Only: HIGH - Any user with local access to the Himmelblau host can potentially read sensitive credentials, making internal threats significant.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to read world-readable files. No authentication bypass needed if attacker has local user access. The advisory provides clear details about the vulnerable file locations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.22 or 1.2.0

Vendor Advisory: https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-phfx-rjfw-wj83

Restart Required: Yes

Instructions:

1. Stop Himmelblau services. 2. Backup configuration and data. 3. Upgrade to version 0.9.22 (for 0.x branch) or 1.2.0 (for 1.x branch). 4. Restart Himmelblau services. 5. Verify proper file permissions on credential cache directories.

🔧 Temporary Workarounds

Restrict cache file permissions

linux

Remove world-readable permissions from Himmelblau credential cache files and directories

chmod 600 /path/to/himmelblau/cache/*
chmod 700 /path/to/himmelblau/cache/

Windows ACL restriction

windows

Remove read access for non-owners on Himmelblau cache directories

icacls "C:\ProgramData\Himmelblau\cache" /remove:g "Users"
icacls "C:\ProgramData\Himmelblau\cache" /inheritance:r

🧯 If You Can't Patch

Apply the workaround to restrict file permissions on all Himmelblau cache directories
Implement strict access controls to limit who can log into the Himmelblau host system

🔍 How to Verify

Check if Vulnerable:

Check Himmelblau version and examine file permissions on cache directories: ls -la /path/to/himmelblau/cache/

Check Version:

himmelblau --version or check package manager

Verify Fix Applied:

Verify version is 0.9.22+ or 1.2.0+ and cache files have restricted permissions (600 for files, 700 for directories)

📡 Detection & Monitoring

Log Indicators:

Failed permission checks on cache files
Unexpected access to credential cache directories

Network Indicators:

Unusual authentication patterns from Himmelblau host
Multiple failed then successful Azure/Intune authentications

SIEM Query:

source="himmelblau" AND (event="permission_denied" OR event="cache_access")

📊 Metadata

CVE ID: CVE-2025-54882

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-522

EPSS Score: 0.02% exploit probability (3.8th percentile)

Published: August 7, 2025

Last Updated: October 9, 2025

🔗 References

https://github.com/himmelblau-idm/himmelblau/commit/b562053df3dffb1dd9ab3d09af986886773be2ad Patch
https://github.com/himmelblau-idm/himmelblau/commit/faae58b0384aca8b21b4be5f1c507412eec3778a Patch
https://github.com/himmelblau-idm/himmelblau/releases/tag/0.9.22 Release Notes
https://github.com/himmelblau-idm/himmelblau/releases/tag/1.2.0 Release Notes
https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-phfx-rjfw-wj83 Exploit,Vendor Advisory
https://github.com/himmelblau-idm/himmelblau/security/advisories/GHSA-phfx-rjfw-wj83 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-54882, you might also want to check these: