Login Sign Up

CVE-2025-7195

6.4 MEDIUM

📋 TL;DR

This vulnerability allows attackers with non-root access inside affected containers to modify the /etc/passwd file due to insecure group-writable permissions. Developers who used Operator-SDK before version 0.15.2 to scaffold operators may have container images vulnerable to privilege escalation. Attackers can add arbitrary users including UID 0, potentially gaining full root privileges within the container.

💻 Affected Systems

Products:
  • Operator-SDK
Versions: Before 0.15.2
Operating Systems: Linux containers
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects container images built using the insecure user_setup script from affected Operator-SDK versions. Images built with newer versions or without this script are not vulnerable.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full container compromise with root privileges, allowing complete control over container resources, data exfiltration, and potential lateral movement to other containers or the host system.

🟠

Likely Case

Privilege escalation within the container allowing unauthorized access to sensitive data and container resources, but limited by container isolation mechanisms.

🟢

If Mitigated

Minimal impact if containers run with proper security contexts, minimal privileges, and network segmentation limiting lateral movement.

🌐 Internet-Facing: MEDIUM - Internet-facing containers could be exploited if attackers gain initial access through other vulnerabilities, but this requires command execution within the container.
🏢 Internal Only: MEDIUM - Internal containers remain vulnerable to privilege escalation if attackers gain initial foothold through other means.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires command execution within the container as a non-root user. The attack involves simple file permission manipulation and user addition commands.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.15.2 and later

Vendor Advisory: https://access.redhat.com/errata/RHEA-2025:23406

Restart Required: Yes

Instructions:

1. Upgrade Operator-SDK to version 0.15.2 or later. 2. Rebuild all container images using the updated SDK. 3. Redeploy operators with the new container images. 4. Verify old images are removed from registries and deployments.

🔧 Temporary Workarounds

Fix /etc/passwd permissions in existing containers

linux

Manually correct file permissions on running containers to remove group-writable access

chmod 644 /etc/passwd
chown root:root /etc/passwd

Update Dockerfile to fix permissions

linux

Add permission correction to Dockerfile before building new images

RUN chmod 644 /etc/passwd && chown root:root /etc/passwd

🧯 If You Can't Patch

  • Run containers with read-only root filesystem to prevent /etc/passwd modification
  • Implement strict network policies and container isolation to limit attack surface

🔍 How to Verify

Check if Vulnerable:

Check container images for /etc/passwd permissions: 'docker exec <container> ls -la /etc/passwd' - if output shows permissions like -rw-rw-r-- with group root, container is vulnerable.

Check Version:

operator-sdk version

Verify Fix Applied:

Verify /etc/passwd permissions show -rw-r--r-- and ownership root:root. Check Operator-SDK version used to build images is 0.15.2+.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected user additions in /etc/passwd
  • Permission changes to system files
  • Commands attempting to modify /etc/passwd

Network Indicators:

  • Unusual outbound connections from containers after privilege escalation

SIEM Query:

container.runtime.command:*passwd* OR file.path:/etc/passwd AND file.permission_change:*

📊 Metadata

CVE ID: CVE-2025-7195
CVSS v3 Score: 6.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-276
EPSS Score: 0.01% exploit probability (0.7th percentile)
Published: August 7, 2025
Last Updated: March 6, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7195, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)