Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
API-reachable so AV:N; requires non-default console interface configuration raising AC:H; needs high-privilege operator credentials so PR:H; ipmitool execution yields full CIA impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
9DescriptionNVD
OpenStack Ironic through 25.0.0 allows ipmitool execution in a non-default configuration that has a console interface.
AnalysisAI
Command injection via ipmitool in OpenStack Ironic through 25.0.0 allows authenticated operators with high privileges to trigger ipmitool execution when a console interface is configured in a non-default deployment, leading to high impact on confidentiality, integrity, and availability of the bare-metal provisioning node. No public exploit identified at time of analysis, EPSS is very low (0.07%, 20th percentile), and SSVC indicates no observed exploitation, consistent with a niche operator-level flaw rather than mass-scanning risk.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires: (1) Ironic deployed at version ≤25.0.0; (2) the non-default console interface explicitly enabled in the Ironic driver/console configuration (default deployments without a console interface are not affected); (3) network reachability to the Ironic API endpoint; and (4) valid credentials holding high Ironic operator privileges (CVSS PR:H), not ordinary tenant or guest accounts. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are mixed but consistently point to a high-impact, low-likelihood issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has compromised or legitimately holds high-privilege Ironic operator credentials on an OpenStack cloud whose deployment has enabled the console interface sends an API request that drives the console driver, causing the ironic-conductor to invoke ipmitool with attacker-influenced parameters. This yields arbitrary IPMI/BMC interaction against managed bare-metal hosts and code execution in the conductor context, allowing tenant separation bypass, node tampering, or denial of service on physical hardware. … |
| Remediation | Patch available per vendor advisory: upgrade Ironic to the fixed release referenced in OSSA-2026-008 (https://security.openstack.org/ossa/OSSA-2026-008.html); no exact fixed version is independently confirmed in the supplied data, so consult the advisory for the patched stable-branch release matching your OpenStack series. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all OpenStack Ironic deployments at version 25.0.0 or earlier with console interfaces enabled and validate operator privilege separation controls. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Boot script injection in OpenStack Ironic versions up to and including 35.0.x allows authenticated tenants to influence
Credential forwarding vulnerability in OpenStack Ironic's idrac driver allows authenticated attackers to steal time-limi
Denial of service in OpenStack Ironic versions 32 through 35.0.1 allows remote unauthenticated attackers to crash the ba
Unredacted iSCSI credential disclosure in OpenStack Ironic through 35.0.1 occurs specifically when an authenticated oper
Infinite loop denial-of-service in OpenStack Ironic's image handling allows low-privileged authenticated attackers to ex
File extraction from the Ironic conductor service is possible via a crafted pxe_template, as disclosed in OpenStack Secu
Server-side template injection in OpenStack Ironic through version 35.x allows authenticated administrators to disclose
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25982