Login Sign Up

CVE-2025-7044

7.7 HIGH
Authentication Bypass

📋 TL;DR

An authenticated attacker can exploit improper input validation in MAAS's websocket handler to self-promote to administrator by injecting the is_superuser property. This grants full administrative control over the MAAS deployment. All MAAS deployments with authenticated users are affected.

💻 Affected Systems

Products:
  • MAAS (Metal as a Service)
Versions: Versions prior to the fix
Operating Systems: Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Requires authenticated user access to MAAS websocket interface.

📦 What is this software?

Maas by Canonical

View all CVEs affecting Maas →

Maas by Canonical

View all CVEs affecting Maas →

Maas by Canonical

View all CVEs affecting Maas →

Maas by Canonical

View all CVEs affecting Maas →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attacker gains full administrative control over MAAS, allowing them to deploy malicious machines, modify network configurations, access sensitive data, and potentially pivot to other infrastructure.

🟠

Likely Case

Authenticated user escalates privileges to administrator, gaining control over MAAS-managed infrastructure and potentially compromising other systems.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to MAAS management plane, though administrative access remains significant.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires intercepting/modifying websocket traffic but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check MAAS release notes for specific version

Vendor Advisory: https://bugs.launchpad.net/maas/+bug/2115714

Restart Required: Yes

Instructions:

1. Check current MAAS version
2. Update MAAS to patched version via apt/dpkg
3. Restart MAAS services
4. Verify fix applied

🔧 Temporary Workarounds

Websocket Traffic Monitoring

linux

Monitor and block suspicious websocket requests containing is_superuser modifications

Network Segmentation

all

Restrict MAAS websocket access to trusted networks only

🧯 If You Can't Patch

  • Implement strict network access controls to MAAS websocket interface
  • Monitor for privilege escalation attempts and review user activity logs regularly

🔍 How to Verify

Check if Vulnerable:

Check MAAS version against patched releases in vendor advisory

Check Version:

dpkg -l | grep maas

Verify Fix Applied:

Test that authenticated users cannot modify is_superuser property via websocket

📡 Detection & Monitoring

Log Indicators:

  • Websocket requests with is_superuser=true from non-admin users
  • Unexpected user privilege changes in MAAS logs

Network Indicators:

  • Websocket traffic containing is_superuser property modifications
  • Unusual websocket request patterns

SIEM Query:

source="maas.log" AND "is_superuser" AND "true" AND user!="admin"

📊 Metadata

CVE ID: CVE-2025-7044
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
CWE: CWE-269
EPSS Score: 0.04% exploit probability (12.6th percentile)
Published: December 3, 2025
Last Updated: December 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7044, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)