CVE-2025-13609

HIGH
2025-11-24 [email protected] GHSA-xh5w-g8gq-r3v9
8.2
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 16:30 vuln.today
CVE Published
Nov 24, 2025 - 18:15 nvd
HIGH 8.2

Tags

Authentication Bypass Redhat Suse

Description

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

Analysis

A critical authentication bypass vulnerability in Keylime allows attackers with high privileges to register malicious agents using different TPM devices while claiming existing agent UUIDs, effectively overwriting legitimate agent identities. This enables impersonation of trusted agents and potential bypass of security controls in the remote attestation system. With an EPSS score of 0.07% (21st percentile) and no known KEV listing, the vulnerability has a high CVSS score of 8.2 but relatively low real-world exploitation likelihood.

Technical Context

Keylime is an open-source remote attestation solution that leverages Trusted Platform Module (TPM) technology to verify system integrity. The vulnerability stems from CWE-694 (Use of Multiple Resources with Duplicate Identifier), where the system fails to properly validate that a registering agent's claimed UUID matches its TPM device identity. This allows an attacker to claim an existing agent's UUID during registration, effectively hijacking that agent's identity within the attestation framework. The flaw fundamentally breaks the trust model of TPM-based attestation by allowing identity substitution.

Affected Products

Keylime remote attestation software is affected by this vulnerability, though specific version information is not provided in the available data. Multiple Red Hat products incorporating Keylime are impacted, as evidenced by the numerous RHSA advisories (RHSA-2025:23201, RHSA-2025:23210, RHSA-2025:23628, RHSA-2025:23735, RHSA-2025:23852, and RHSA-2026:0429). The vulnerability is tracked in Red Hat Bugzilla as bug 2416761 and upstream in the Keylime GitHub repository as issue 1820.

Remediation

Apply the security updates provided in the Red Hat Security Advisories corresponding to your specific Red Hat product version. For direct Keylime deployments, monitor the upstream GitHub issue 1820 for patches and update to the fixed version once available. As a temporary mitigation, implement strict access controls and monitoring for agent registration activities, limiting who can register new agents to the Keylime system. Consider implementing additional authentication mechanisms or network segmentation to prevent unauthorized agent registration attempts until patches are applied.

Priority Score

41
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +41
POC: 0

Vendor Status

Share

CVE-2025-13609 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy