CVE-2025-58457 – This vulnerability allows authorized ZooKeeper ... (How to Fix)

Q: What is the severity of CVE-2025-58457?

CVE-2025-58457 has a CVSS score of 4.3 (MEDIUM). This vulnerability allows authorized ZooKeeper clients to execute snapshot and restore commands without proper permission checks. It affects Apache ZooKeeper installations running versions 3.9.0 through 3.9.3. The issue enables privilege escalation within the ZooKeeper administrative interface.

📋 TL;DR

This vulnerability allows authorized ZooKeeper clients to execute snapshot and restore commands without proper permission checks. It affects Apache ZooKeeper installations running versions 3.9.0 through 3.9.3. The issue enables privilege escalation within the ZooKeeper administrative interface.

💻 Affected Systems

Products:

Apache ZooKeeper

Versions: 3.9.0 through 3.9.3

Operating Systems: All platforms running ZooKeeper

Default Config Vulnerable: ⚠️ Yes

Notes: Default configurations with AdminServer enabled and open ACLs are vulnerable. ZooKeeper ACLs are not recursive, so child node operations remain protected.

📦 What is this software?

Zookeeper by Apache

View all CVEs affecting Zookeeper →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authorized clients could execute administrative snapshot/restore operations, potentially disrupting ZooKeeper cluster operations or restoring malicious data.

🟠

Likely Case

Authorized users with limited permissions could perform administrative operations they shouldn't have access to, violating the principle of least privilege.

🟢

If Mitigated

With proper ACLs or AdminServer disabled, the vulnerability has minimal impact as unauthorized access is prevented.

🌐 Internet-Facing: MEDIUM - If AdminServer is exposed to the internet with weak ACLs, attackers could exploit this after gaining some level of access.

🏢 Internal Only: MEDIUM - Internal authorized users could abuse this to perform unauthorized administrative operations.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires authorized client access. Exploitation involves sending specific commands to the AdminServer interface.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.9.4

Vendor Advisory: https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx

Restart Required: No

Instructions:

1. Download ZooKeeper 3.9.4 from Apache website. 2. Stop ZooKeeper service. 3. Replace existing installation with 3.9.4. 4. Start ZooKeeper service. 5. Verify version is now 3.9.4.

🔧 Temporary Workarounds

Disable AdminServer

all

Completely disable the AdminServer interface

Set admin.enableServer=false in zoo.cfg

Disable vulnerable commands

all

Disable only the snapshot and restore commands

Set admin.snapshot.enabled=false and admin.restore.enabled=false in zoo.cfg

Restrict ACL permissions

all

Ensure root ACL does not provide open permissions

Configure appropriate ACLs for root node using ZooKeeper ACL commands

🧯 If You Can't Patch

Disable AdminServer interface completely via admin.enableServer=false
Disable snapshot and restore commands via admin.snapshot.enabled=false and admin.restore.enabled=false
Implement strict network access controls to limit AdminServer access
Review and tighten ZooKeeper ACL configurations

🔍 How to Verify

Check if Vulnerable:

Check ZooKeeper version and verify if running 3.9.0-3.9.3 with AdminServer enabled

Check Version:

echo stat | nc localhost 2181 | grep Version

Verify Fix Applied:

Verify ZooKeeper version is 3.9.4 or later, or that mitigation controls are properly configured

📡 Detection & Monitoring

Log Indicators:

Unauthorized snapshot/restore command attempts in ZooKeeper logs
AdminServer access logs showing suspicious commands

Network Indicators:

Unexpected traffic to AdminServer port (typically 8080)
Snapshot/restore commands from unauthorized sources

SIEM Query:

source="zookeeper.log" AND ("snapshot" OR "restore") AND NOT user="authorized_user"

📊 Metadata

CVE ID: CVE-2025-58457

CVSS v3 Score: 4.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-280

EPSS Score: 0.1% exploit probability (27.2th percentile)

Published: September 24, 2025

Last Updated: November 4, 2025

🔗 References

https://lists.apache.org/thread/r5yol0kkhx2fzw22pxk1ozwm3oc6yxrx Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2025/09/24/10

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58457, you might also want to check these: