CVE-2025-6032
📋 TL;DR
This vulnerability in Podman's machine init command allows man-in-the-middle attacks by failing to verify TLS certificates when downloading VM images from OCI registries. Attackers can intercept and replace legitimate VM images with malicious ones during download. This affects all Podman users who use the podman machine init command with untrusted networks.
💻 Affected Systems
- Podman
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can replace legitimate VM images with malicious ones containing backdoors, malware, or compromised configurations, leading to complete compromise of the container environment and potentially the host system.
Likely Case
Attackers intercept VM image downloads to inject malicious code or configurations, enabling persistence, data theft, or lateral movement within the environment.
If Mitigated
With proper network controls and certificate validation, the attack surface is limited to environments where attackers can intercept TLS traffic between Podman and registries.
🎯 Exploit Status
Requires man-in-the-middle position between Podman and OCI registry during VM image download.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:10295
Restart Required: No
Instructions:
1. Update Podman to the latest patched version from your distribution's repository. 2. For Red Hat systems, apply the relevant RHSA patches. 3. Verify the fix by checking Podman version.
🔧 Temporary Workarounds
Use trusted networks only
allOnly run podman machine init on trusted, secure networks where man-in-the-middle attacks are unlikely
Download images manually with verification
allManually download VM images from trusted sources with proper TLS certificate verification, then use them locally
🧯 If You Can't Patch
- Avoid using podman machine init command on untrusted networks
- Implement network segmentation and monitoring to detect man-in-the-middle attempts
🔍 How to Verify
Check if Vulnerable:
Check if your Podman version is affected by comparing against Red Hat advisories. Run podman machine init in a test environment with a proxy to see if certificate warnings appear.Check Version:
podman versionVerify Fix Applied:
After updating, test podman machine init with a proxy that presents invalid certificates - it should fail with certificate validation errors.📡 Detection & Monitoring
Log Indicators:
- Failed certificate validation warnings during podman machine init
- Unexpected registry connections during VM image downloads
Network Indicators:
- Unencrypted or improperly encrypted traffic to OCI registries during podman machine init
- Suspicious man-in-the-middle patterns in network traffic
SIEM Query:
Search for podman machine init commands followed by network connections to OCI registries without proper TLS handshake completion🔗 References
- https://access.redhat.com/errata/RHSA-2025:10295
- https://access.redhat.com/errata/RHSA-2025:10549
- https://access.redhat.com/errata/RHSA-2025:10550
- https://access.redhat.com/errata/RHSA-2025:10551
- https://access.redhat.com/errata/RHSA-2025:10668
- https://access.redhat.com/errata/RHSA-2025:11359
- https://access.redhat.com/errata/RHSA-2025:11363
- https://access.redhat.com/errata/RHSA-2025:11677
- https://access.redhat.com/errata/RHSA-2025:11681
- https://access.redhat.com/errata/RHSA-2025:15397
- https://access.redhat.com/errata/RHSA-2025:9726
- https://access.redhat.com/errata/RHSA-2025:9751
- https://access.redhat.com/errata/RHSA-2025:9766
- https://access.redhat.com/security/cve/CVE-2025-6032
- https://bugzilla.redhat.com/show_bug.cgi?id=2372501
- https://github.com/containers/podman/commit/726b506acc8a00d99f1a3a1357ecf619a1f798c3
- https://github.com/containers/podman/security/advisories/GHSA-65gg-3w2w-hr4h
