CVE-2025-7784
📋 TL;DR
A privilege escalation vulnerability in Keycloak allows administrative users with the manage-users role to elevate their privileges to realm-admin when Fine-Grained Admin Permissions (FGAPv2) are enabled. This compromises administrative separation of duties and affects Keycloak deployments using FGAPv2 with administrative users.
💻 Affected Systems
- Keycloak
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with manage-users access gains full realm-admin control, allowing them to modify all realm settings, create/delete users, change authentication flows, and potentially compromise the entire identity management system.
Likely Case
Administrative users unintentionally or intentionally escalate their privileges beyond intended scope, violating separation of duties and potentially accessing sensitive configuration data.
If Mitigated
With proper role-based access controls and monitoring, impact is limited to unauthorized privilege changes that can be detected and rolled back.
🎯 Exploit Status
Exploitation requires authenticated administrative access with manage-users role. The vulnerability involves improper privilege enforcement within the FGAPv2 system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories RHSA-2025:12015 and RHSA-2025:12016 for specific patched versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2025-7784
Restart Required: Yes
Instructions:
1. Review Red Hat advisories RHSA-2025:12015 and RHSA-2025:12016. 2. Apply the recommended security update for your Keycloak version. 3. Restart Keycloak services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable FGAPv2
allTemporarily disable Fine-Grained Admin Permissions feature until patching is possible
Consult Keycloak documentation for disabling FGAPv2 in your specific deployment
Restrict manage-users role
allLimit users with manage-users role and implement additional monitoring
Review and audit all users with manage-users role
Implement additional logging for privilege changes
🧯 If You Can't Patch
- Disable Fine-Grained Admin Permissions (FGAPv2) feature entirely
- Implement strict monitoring and alerting for privilege escalation attempts and administrative actions
🔍 How to Verify
Check if Vulnerable:
Check if FGAPv2 is enabled in your Keycloak configuration and verify your Keycloak version against affected versions in Red Hat advisoriesCheck Version:
keycloak/bin/kc.sh --version or check Keycloak admin consoleVerify Fix Applied:
Verify Keycloak version is updated to patched version and test that users with manage-users role cannot escalate to realm-admin📡 Detection & Monitoring
Log Indicators:
- Unexpected privilege escalation events
- Users with manage-users role gaining realm-admin permissions
- Administrative permission changes outside normal workflows
Network Indicators:
- Unusual administrative API calls from users with limited roles
SIEM Query:
source="keycloak" AND (event_type="PRIVILEGE_ESCALATION" OR permission_changes="realm-admin")