CVE-2025-66433
📋 TL;DR
HTCondor Access Point versions 24.7.3 through 25.3.0 allow authenticated users to impersonate other users on the local machine by submitting batch jobs. This affects systems running vulnerable HTCondor Access Point software where multiple users share the same machine.
💻 Affected Systems
- HTCondor Access Point
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could execute arbitrary code with the privileges of another user on the same machine, potentially gaining unauthorized access to sensitive data or performing malicious actions under another user's identity.
Likely Case
An authenticated user could submit jobs that appear to originate from other users, causing confusion, audit trail corruption, or limited privilege escalation within the HTCondor environment.
If Mitigated
With proper access controls and monitoring, impact is limited to job submission confusion without significant privilege escalation.
🎯 Exploit Status
Exploitation requires authenticated access to submit batch jobs. The vulnerability is in how job submissions are processed and attributed to users.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 24.12.14, 25.0.3, or 25.3.1
Vendor Advisory: https://htcondor.org/security/vulnerabilities/HTCONDOR-2025-0002.html
Restart Required: Yes
Instructions:
1. Identify your HTCondor version using 'condor_version'. 2. If vulnerable, download appropriate patched version from HTCondor website. 3. Follow HTCondor upgrade procedures for your version. 4. Restart HTCondor services after upgrade.
🔧 Temporary Workarounds
Restrict job submission access
allLimit which users can submit batch jobs to only trusted individuals
# Configure HTCondor access controls in condor_config.local
# Set ALLOW_WRITE = trusted_users@*
Enable detailed job auditing
allIncrease logging of job submissions to detect impersonation attempts
# Add to condor_config: MAX_HISTORY_LOG = 1000000
# Add to condor_config: ENABLE_USERLOG_JOB_ADS = TRUE
🧯 If You Can't Patch
- Implement strict access controls to limit which users can submit batch jobs
- Enable comprehensive auditing of all job submissions and regularly review logs for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Run 'condor_version' and check if version is between 24.7.3 and 25.3.0 (excluding 24.12.14, 25.0.3, 25.3.1)Check Version:
condor_versionVerify Fix Applied:
After patching, verify version shows 24.12.14, 25.0.3, or 25.3.1 using 'condor_version'📡 Detection & Monitoring
Log Indicators:
- Job submissions with mismatched user identities
- Unusual job submission patterns from specific users
- Jobs running with unexpected user privileges
Network Indicators:
- Multiple job submissions from single user appearing as different users
SIEM Query:
source="htcondor" AND (event="job_submit" OR event="job_execute") | stats count by user, src_user | where user != src_user