Login Sign Up

CVE-2025-62506

8.1 HIGH
Authentication Bypass

📋 TL;DR

MinIO versions before RELEASE.2025-10-15T17-29-55Z contain a privilege escalation vulnerability where restricted service accounts and STS accounts can bypass their inline policy restrictions when creating new service accounts for themselves. This allows attackers to create unrestricted service accounts with full parent privileges, enabling unauthorized access to buckets and objects beyond their intended scope. All MinIO deployments using service accounts or STS accounts with restricted session policies are affected.

💻 Affected Systems

Products:
  • MinIO
Versions: All versions prior to RELEASE.2025-10-15T17-29-55Z
Operating Systems: All platforms running MinIO
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects deployments using service accounts or STS accounts with restricted session policies. Standard IAM users are not affected.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with compromised restricted credentials can create a new service account with full administrative privileges, gaining complete control over the MinIO instance including access to all buckets, ability to modify/delete sensitive data, and potentially pivot to other systems.

🟠

Likely Case

Restricted service accounts can escalate their privileges to access buckets and objects they shouldn't have access to, potentially exposing sensitive data or allowing unauthorized modifications.

🟢

If Mitigated

With proper network segmentation and access controls, the impact is limited to the MinIO instance itself, though data exposure and unauthorized modifications remain possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires valid credentials for a restricted service or STS account. The attack involves simple API calls to create new service accounts.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: RELEASE.2025-10-15T17-29-55Z

Vendor Advisory: https://github.com/minio/minio/security/advisories/GHSA-jjjj-jwhf-8rgr

Restart Required: Yes

Instructions:

1. Backup your MinIO configuration and data. 2. Stop the MinIO service. 3. Update MinIO to version RELEASE.2025-10-15T17-29-55Z or later. 4. Restart the MinIO service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable service account creation for restricted accounts

all

Temporarily restrict the ability for service accounts to create new service accounts via IAM policies.

mc admin policy create myminio restrict-service-creation restrict-service-creation.json
mc admin policy attach myminio restrict-service-creation --user=<restricted-account>

🧯 If You Can't Patch

  • Review and audit all service accounts and STS accounts for unauthorized privilege escalation
  • Implement network segmentation to limit MinIO access and monitor for unusual service account creation patterns

🔍 How to Verify

Check if Vulnerable:

Check MinIO version using 'minio --version' or via the web console. If version is older than RELEASE.2025-10-15T17-29-55Z, the system is vulnerable.

Check Version:

minio --version

Verify Fix Applied:

After patching, verify the version is RELEASE.2025-10-15T17-29-55Z or newer and test that restricted service accounts cannot create unrestricted service accounts.

📡 Detection & Monitoring

Log Indicators:

  • Unusual service account creation events
  • Multiple service accounts created by the same parent account
  • Access patterns from newly created service accounts

Network Indicators:

  • API calls to create service accounts from restricted accounts
  • Unusual data access patterns following service account creation

SIEM Query:

source="minio" AND (event="CreateServiceAccount" OR event="AssumeRole") | stats count by user, source_ip

📊 Metadata

CVE ID: CVE-2025-62506
CVSS v3 Score: 8.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-863
EPSS Score: 0.02% exploit probability (3.9th percentile)
Published: October 16, 2025
Last Updated: October 23, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-62506, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)