Login Sign Up

CVE-2025-59088

8.6 HIGH
SSRF

📋 TL;DR

This CVE-2025-59088 vulnerability in kdcproxy allows attackers to perform server-side request forgery (SSRF) by sending requests for realms without defined server addresses. When kdcproxy queries DNS SRV records for such realms, attackers can manipulate DNS zones to point to arbitrary hosts and ports, enabling internal network reconnaissance and data exfiltration. Only deployments with the default 'use_dns' setting (enabled) are affected.

💻 Affected Systems

Products:
  • kdcproxy
Versions: All versions prior to patched releases
Operating Systems: Linux distributions with kdcproxy packages
Default Config Vulnerable: ⚠️ Yes
Notes: Only vulnerable when 'use_dns' setting is enabled (default). Deployments explicitly setting 'use_dns' to false are not affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could map internal network topology, bypass firewalls, perform port scanning, exfiltrate sensitive data from internal services, and potentially chain with other vulnerabilities for further compromise.

🟠

Likely Case

Internal network reconnaissance, firewall rule probing, and port scanning of internal systems accessible from the kdcproxy server.

🟢

If Mitigated

Limited to DNS query logging and minimal information leakage if proper network segmentation and DNS controls are implemented.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires DNS zone control but no authentication to kdcproxy. Attack pattern is straightforward for attackers with DNS manipulation capabilities.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Red Hat advisories RHSA-2025:21138 through RHSA-2025:21142 for specific package versions

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:21138

Restart Required: Yes

Instructions:

1. Update kdcproxy package using your distribution's package manager. 2. Restart kdcproxy service. 3. Verify configuration has 'use_dns' set appropriately.

🔧 Temporary Workarounds

Disable DNS SRV lookup

linux

Set 'use_dns = false' in kdcproxy configuration to prevent DNS queries for undefined realms

Edit kdcproxy configuration file and add/change: use_dns = false
Restart kdcproxy service

Network restriction

linux

Restrict kdcproxy's outbound DNS queries using firewall rules

iptables -A OUTPUT -p udp --dport 53 -j DROP
iptables -A OUTPUT -p tcp --dport 53 -j DROP

🧯 If You Can't Patch

  • Set 'use_dns = false' in kdcproxy configuration immediately
  • Implement strict egress filtering to block kdcproxy's DNS queries to untrusted networks

🔍 How to Verify

Check if Vulnerable:

Check kdcproxy configuration for 'use_dns' setting. If not set or set to true, system is vulnerable.

Check Version:

rpm -q kdcproxy  # For RHEL-based systems

Verify Fix Applied:

Verify kdcproxy package version matches patched version from Red Hat advisories and 'use_dns' is set to false or system is patched.

📡 Detection & Monitoring

Log Indicators:

  • Unusual DNS queries from kdcproxy process
  • Requests for non-standard realm names
  • Failed authentication attempts for unknown realms

Network Indicators:

  • DNS queries for unexpected domain names from kdcproxy server
  • Outbound connections from kdcproxy to unusual ports following DNS queries

SIEM Query:

source="kdcproxy.log" AND ("DNS query" OR "SRV lookup") AND realm NOT IN [expected_realms]

📊 Metadata

CVE ID: CVE-2025-59088
CVSS v3 Score: 8.6 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-918
EPSS Score: 0.07% exploit probability (20th percentile)
Published: November 12, 2025
Last Updated: December 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59088, you might also want to check these:

CVE-2023-3432 10.0

This CVE describes a Server-Side Request Forgery (SSRF) vulnerability in PlantUML versions prior to ...

Same vulnerability type (CWE-918)
CVE-2025-2828 10.0

This Server-Side Request Forgery (SSRF) vulnerability in langchain-community's RequestsToolkit allow...

Same vulnerability type (CWE-918)
CVE-2023-43654 10.0

TorchServe versions 0.1.0 to 0.8.1 have a critical vulnerability where the default configuration lac...

Same vulnerability type (CWE-918)