CVE-2025-9162
📋 TL;DR
This vulnerability in Keycloak's realm import functionality allows attackers to inject malicious content via crafted realm documents that reference environment variables. The flaw enables injection attacks during the import process, potentially leading to unintended consequences in the Keycloak environment. Organizations using Keycloak with realm import features are affected.
💻 Affected Systems
- Keycloak
- Red Hat Single Sign-On
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Keycloak environment through arbitrary code execution or data manipulation, potentially leading to authentication bypass or privilege escalation.
Likely Case
Limited data manipulation or configuration changes within imported realms, potentially disrupting authentication flows or exposing sensitive configuration data.
If Mitigated
No impact if proper input validation and environment variable restrictions are in place, or if realm import functionality is disabled.
🎯 Exploit Status
Exploitation requires crafting malicious realm documents and access to import functionality; likely requires some level of authentication or administrative access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Red Hat advisories RHSA-2025:15336 through RHSA-2025:16399 for specific patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:15336
Restart Required: No
Instructions:
1. Review Red Hat advisories for your specific Keycloak/RH-SSO version. 2. Apply the appropriate security update via your package manager. 3. Verify the update was successful. 4. Test realm import functionality after patching.
🔧 Temporary Workarounds
Disable realm imports
allTemporarily disable KeycloakRealmImport functionality until patches can be applied
Restrict environment variable access
allLimit environment variables that can be referenced during realm imports
🧯 If You Can't Patch
- Implement strict input validation on all realm import documents
- Restrict realm import functionality to trusted administrators only
🔍 How to Verify
Check if Vulnerable:
Check Keycloak version against affected versions in Red Hat advisories; review if realm import functionality is enabledCheck Version:
keycloak/bin/kc.sh --version or check Keycloak admin console version informationVerify Fix Applied:
Verify Keycloak version is updated to patched version specified in Red Hat advisories📡 Detection & Monitoring
Log Indicators:
- Unusual realm import activity
- Errors in realm import processing
- Suspicious environment variable references in import logs
Network Indicators:
- Unusual API calls to realm import endpoints
- Large or complex realm import requests
SIEM Query:
source="keycloak" AND ("realm import" OR "KeycloakRealmImport") AND (error OR exception OR suspicious)🔗 References
- https://access.redhat.com/errata/RHSA-2025:15336
- https://access.redhat.com/errata/RHSA-2025:15337
- https://access.redhat.com/errata/RHSA-2025:15338
- https://access.redhat.com/errata/RHSA-2025:15339
- https://access.redhat.com/errata/RHSA-2025:16399
- https://access.redhat.com/errata/RHSA-2025:16400
- https://access.redhat.com/security/cve/CVE-2025-9162
- https://bugzilla.redhat.com/show_bug.cgi?id=2389396
