CVE-2025-61667
📋 TL;DR
A local privilege escalation vulnerability in Datadog Linux Host Agent versions 7.65.0 through 7.70.2 allows attackers with local access and low-privilege accounts to modify Python cache files that execute during Agent upgrades. This could lead to arbitrary code execution with elevated privileges. Only Linux Host Agent installations are affected.
💻 Affected Systems
- Datadog Linux Host Agent
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains root privileges on the host, enabling complete system compromise, data theft, lateral movement, and persistence.
Likely Case
Local user escalates to root privileges, potentially installing backdoors, accessing sensitive data, or disrupting monitoring services.
If Mitigated
With proper access controls and patching, impact is limited to failed exploitation attempts with no privilege escalation.
🎯 Exploit Status
Exploitation requires local access with a valid low-privilege account and ability to write to the __pycache__ directory.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.71.0
Vendor Advisory: https://github.com/DataDog/datadog-agent/security/advisories/GHSA-6852-76c5-6cmg
Restart Required: Yes
Instructions:
1. Upgrade Datadog Agent to version 7.71.0 or later using your package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt install datadog-agent. 3. For RHEL/CentOS: sudo yum update datadog-agent. 4. Restart the agent: sudo systemctl restart datadog-agent.
🔧 Temporary Workarounds
Restrict directory permissions
linuxManually set proper permissions on the vulnerable directory to prevent unauthorized writes.
sudo chmod 700 /opt/datadog-agent/python-scripts/__pycache__
sudo chown root:root /opt/datadog-agent/python-scripts/__pycache__
🧯 If You Can't Patch
- Implement strict access controls to limit local user access to vulnerable hosts.
- Monitor for unauthorized file modifications in the __pycache__ directory using file integrity monitoring tools.
🔍 How to Verify
Check if Vulnerable:
Check Datadog Agent version: datadog-agent version | grep 'Agent' and verify if it's between 7.65.0 and 7.70.2.Check Version:
datadog-agent version | grep 'Agent'Verify Fix Applied:
Confirm version is 7.71.0 or later: datadog-agent version | grep 'Agent' and check directory permissions: ls -la /opt/datadog-agent/python-scripts/__pycache__.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications in /opt/datadog-agent/python-scripts/__pycache__
- Unexpected processes spawned during Datadog Agent upgrades
- Privilege escalation attempts from datadog-agent user
Network Indicators:
- None - this is a local privilege escalation vulnerability
SIEM Query:
source="datadog-agent" AND (event="file_modification" AND path="/opt/datadog-agent/python-scripts/__pycache__/*") OR (event="process_execution" AND parent_process="datadog-agent" AND user_change="root")