CVE-2025-13609
HIGHSeverity by source
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.
AnalysisAI
A critical authentication bypass vulnerability in Keylime allows attackers with high privileges to register malicious agents using different TPM devices while claiming existing agent UUIDs, effectively overwriting legitimate agent identities. This enables impersonation of trusted agents and potential bypass of security controls in the remote attestation system. With an EPSS score of 0.07% (21st percentile) and no known KEV listing, the vulnerability has a high CVSS score of 8.2 but relatively low real-world exploitation likelihood.
Technical ContextAI
Keylime is an open-source remote attestation solution that leverages Trusted Platform Module (TPM) technology to verify system integrity. The vulnerability stems from CWE-694 (Use of Multiple Resources with Duplicate Identifier), where the system fails to properly validate that a registering agent's claimed UUID matches its TPM device identity. This allows an attacker to claim an existing agent's UUID during registration, effectively hijacking that agent's identity within the attestation framework. The flaw fundamentally breaks the trust model of TPM-based attestation by allowing identity substitution.
Affected ProductsAI
Keylime remote attestation software is affected by this vulnerability, though specific version information is not provided in the available data. Multiple Red Hat products incorporating Keylime are impacted, as evidenced by the numerous RHSA advisories (RHSA-2025:23201, RHSA-2025:23210, RHSA-2025:23628, RHSA-2025:23735, RHSA-2025:23852, and RHSA-2026:0429). The vulnerability is tracked in Red Hat Bugzilla as bug 2416761 and upstream in the Keylime GitHub repository as issue 1820.
RemediationAI
Apply the security updates provided in the Red Hat Security Advisories corresponding to your specific Red Hat product version. For direct Keylime deployments, monitor the upstream GitHub issue 1820 for patches and update to the fixed version once available. As a temporary mitigation, implement strict access controls and monitoring for agent registration activities, limiting who can register new agents to the Keylime system. Consider implementing additional authentication mechanisms or network segmentation to prevent unauthorized agent registration attempts until patches are applied.
Same technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server 16.0 SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Desktop 15 SP7 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Basesystem 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP4 | Fixed |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP5 | Fixed |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 15 SP6 | Fixed |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy 4.3 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Retail Branch Server 4.3 | Fixed |
| SUSE Manager Retail Branch Server LTS 4.3 | Fixed |
| SUSE Manager Server 4.3 | Fixed |
| SUSE Manager Server LTS 4.3 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP4 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 15 SP6 | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Fixed |
| SUSE Linux Enterprise High Performance Computing 15 SP6 | Fixed |
| SUSE Linux Enterprise Real Time 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| SUSE Manager Proxy 4.3 LTS | Fixed |
| SUSE Manager Retail Branch Server 4.3 LTS | Fixed |
| SUSE Manager Server 4.3 LTS | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-xh5w-g8gq-r3v9