Login Sign Up

CVE-2025-59089

5.9 MEDIUM
Denial of Service

📋 TL;DR

This vulnerability in kdcproxy allows denial-of-service attacks when an attacker can redirect connections to a malicious KDC server. Attackers can send unbounded data responses, causing excessive memory allocation and CPU usage that can exhaust server resources. Systems running vulnerable versions of kdcproxy are affected.

💻 Affected Systems

Products:
  • kdcproxy
Versions: Versions prior to patched releases referenced in Red Hat advisories
Operating Systems: Linux distributions with kdcproxy packages
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to control KDC server or redirect kdcproxy connections via SSRF; kdcproxy must be exposed to untrusted networks or attackers.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through memory/CPU exhaustion, accept queue overflow preventing legitimate connections, and potential system instability requiring restart.

🟠

Likely Case

Degraded performance, intermittent service disruptions, and increased resource consumption affecting legitimate Kerberos authentication requests.

🟢

If Mitigated

Minimal impact with proper network segmentation, rate limiting, and monitoring in place to detect anomalous traffic patterns.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: MEDIUM

Exploitation requires ability to redirect kdcproxy connections to attacker-controlled KDC server; SSRF or network manipulation needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions referenced in Red Hat advisories RHSA-2025:21138 through RHSA-2025:21142

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:21138

Restart Required: Yes

Instructions:

1. Check current kdcproxy version. 2. Apply appropriate Red Hat security update via yum update kdcproxy. 3. Restart kdcproxy service. 4. Verify patch installation.

🔧 Temporary Workarounds

Network Segmentation

linux

Restrict kdcproxy access to trusted KDC servers only using firewall rules

iptables -A OUTPUT -p tcp --dport 88 -d trusted_kdc_ip -j ACCEPT
iptables -A OUTPUT -p tcp --dport 88 -j DROP

Rate Limiting

linux

Implement connection rate limiting to prevent accept queue overflow

iptables -A INPUT -p tcp --dport kdcproxy_port -m limit --limit 10/second -j ACCEPT
iptables -A INPUT -p tcp --dport kdcproxy_port -j DROP

🧯 If You Can't Patch

  • Implement strict network controls to prevent kdcproxy from connecting to untrusted KDC servers
  • Monitor kdcproxy memory and CPU usage for anomalous spikes indicating potential exploitation

🔍 How to Verify

Check if Vulnerable:

Check kdcproxy version against patched versions in Red Hat advisories; examine if kdcproxy can connect to untrusted networks

Check Version:

rpm -q kdcproxy

Verify Fix Applied:

Verify updated kdcproxy version is installed and service is running; test with controlled response length validation

📡 Detection & Monitoring

Log Indicators:

  • Unusually large memory allocation by kdcproxy process
  • Multiple connection timeouts from kdcproxy
  • High CPU usage by kdcproxy

Network Indicators:

  • Excessive data transfer to kdcproxy from non-standard KDC servers
  • Multiple concurrent connections to kdcproxy from single source

SIEM Query:

process_name:"kdcproxy" AND (memory_usage > threshold OR cpu_usage > threshold)

📊 Metadata

CVE ID: CVE-2025-59089
CVSS v3 Score: 5.9 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-770
EPSS Score: 0.08% exploit probability (22.4th percentile)
Published: November 12, 2025
Last Updated: January 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-59089, you might also want to check these:

CVE-2024-44241 9.8

This vulnerability in DCP firmware allows attackers to execute arbitrary code or cause system crashe...

Same vulnerability type (CWE-770)
CVE-2025-11832 9.8

This CVE describes a resource allocation vulnerability in Azure Access Technology BLU-IC2 and BLU-IC...

Same vulnerability type (CWE-770)
CVE-2021-47875 9.8

GeoGebra CAS Calculator 6.0.631.0 contains a buffer overflow vulnerability that allows attackers to ...

Same vulnerability type (CWE-770)