CVE-2025-60892
📋 TL;DR
Raspberry Pi Imager 1.9.6 for Windows has a vulnerability where the public-key authentication setting persistently re-adds a user's id_rsa.pub key to the Raspberry Pi's authorized_keys file, even after manual deletion. This could allow attackers to use different SSH keys than intended to gain unauthorized access. Only users of Raspberry Pi Imager 1.9.6 for Windows who use the OS customization feature with public-key authentication are affected.
💻 Affected Systems
- Raspberry Pi Imager
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains persistent SSH access to the Raspberry Pi using a different key than intended, potentially leading to full system compromise, data theft, or use as a pivot point in the network.
Likely Case
Unauthorized SSH access to the Raspberry Pi, allowing attackers to execute commands, install malware, or access sensitive data on the device.
If Mitigated
Limited impact if SSH is disabled, network access is restricted, or proper key management practices are followed.
🎯 Exploit Status
Exploitation requires the attacker to have access to a different SSH key than the intended one and knowledge of the target Raspberry Pi's SSH configuration. The vulnerability is in the software's behavior rather than a traditional code flaw.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.7 or later
Vendor Advisory: https://github.com/raspberrypi/rpi-imager/issues/1185
Restart Required: No
Instructions:
1. Download the latest version of Raspberry Pi Imager from the official website. 2. Install the new version over the existing installation. 3. Verify the version is 1.9.7 or higher.
🔧 Temporary Workarounds
Disable Public-Key Authentication in Imager
windowsAvoid using the 'public-key authentication' setting in Raspberry Pi Imager's OS customization feature.
Manually Manage SSH Keys on Raspberry Pi
linuxAfter imaging, manually edit the authorized_keys file on the Raspberry Pi to remove unwanted keys.
ssh pi@<raspberry_pi_ip>
nano ~/.ssh/authorized_keys
Remove unwanted key entries
Save and exit
🧯 If You Can't Patch
- Disable SSH on the Raspberry Pi if not needed.
- Restrict SSH access to specific IP addresses using firewall rules.
🔍 How to Verify
Check if Vulnerable:
Check if Raspberry Pi Imager version is 1.9.6 on Windows and if the public-key authentication setting was used. On the Raspberry Pi, check if unwanted keys are present in ~/.ssh/authorized_keys after deleting them via the Imager UI.Check Version:
Open Raspberry Pi Imager, go to Help > About, and check the version number.Verify Fix Applied:
After updating to version 1.9.7 or later, test that deleting a key via the Imager UI does not re-add it to the authorized_keys file on the Raspberry Pi.📡 Detection & Monitoring
Log Indicators:
- Unexpected SSH login attempts from unknown keys in /var/log/auth.log on Raspberry Pi.
- Failed SSH authentication attempts followed by successful logins from unexpected sources.
Network Indicators:
- SSH connections from unexpected IP addresses to the Raspberry Pi.
- Unusual SSH traffic patterns to the device.
SIEM Query:
source="auth.log" AND "Accepted publickey" AND NOT user="expected_user"