EUVD-2025-18073
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:L
Lifecycle Timeline
4DescriptionNVD
KDE Konsole before 25.04.2 allows remote code execution in a certain scenario. It supports loading URLs from the scheme handlers such as a ssh:// or telnet:// or rlogin:// URL. This can be executed regardless of whether the ssh, telnet, or rlogin binary is available. In this mode, there is a code path where if that binary is not available, Konsole falls back to using /bin/bash for the given arguments (i.e., the URL) provided. This allows an attacker to execute arbitrary code.
AnalysisAI
Remote code execution vulnerability in KDE Konsole before version 25.04.2 that exploits improper fallback behavior in URL scheme handler processing. When a user clicks on ssh://, telnet://, or rlogin:// URLs, Konsole attempts to execute the corresponding binary; if unavailable, it dangerously falls back to /bin/bash with the URL as an argument, allowing arbitrary command execution. The vulnerability requires user interaction (clicking a malicious link) but affects all Konsole users, potentially at scale through phishing or drive-by attacks.
Technical ContextAI
KDE Konsole is a terminal emulator that registers handlers for remote access scheme URIs (ssh://, telnet://, rlogin://) per the XDG Desktop Entry specification. The vulnerability resides in the scheme handler implementation (CWE-670: Improper Controls for Unusual or Dangerous XML). When Konsole receives a URL like ssh://attacker.com -c 'malicious_command', it attempts to invoke the ssh binary with parsed URL components as arguments. The root cause is inadequate error handling: if the ssh binary is missing, the code does not properly validate or sanitize the remaining arguments before passing them to /bin/bash as a fallback. This violates the principle of least privilege and proper input validation. The affected component is likely in Konsole's URL parsing and process spawning logic, specifically in how it constructs command arguments for scheme handlers without proper quoting or validation of the fallback path.
RemediationAI
Immediate: Upgrade KDE Konsole to version 25.04.2 or later (available via KDE repositories and distribution package managers). For Ubuntu/Debian: apt update && apt upgrade konsole or apt install konsole=25.04.2-* (version syntax varies by distro). For Fedora/RHEL: dnf upgrade konsole. For Arch: pacman -S konsole. Workaround (short-term, pre-patch): Ensure ssh, telnet, and rlogin binaries are installed on the system (apt install openssh-client, inetutils-telnet, rsh-client) to prevent fallback to /bin/bash, though this only mitigates, not eliminates, risk. Best practice: Disable or restrict URL scheme handler registration in Konsole settings if remote access is unnecessary. Monitor for KDE security advisories at https://www.kde.org/info/security/ and apply patches promptly.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | released | 4:25.04.0-2 |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
Debian
Bug #1107672| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | fixed | 4:20.12.3-1+deb11u1 | - |
| bullseye (security) | fixed | 4:20.12.3-1+deb11u1 | - |
| bookworm, bookworm (security) | fixed | 4:22.12.3-1+deb12u1 | - |
| trixie | fixed | 4:25.04.2-1 | - |
| forky, sid | fixed | 4:25.12.1-1 | - |
| bookworm | fixed | 4:22.12.3-1+deb12u1 | - |
| (unstable) | fixed | 4:25.04.0-2 | - |
Share
External POC / Exploit Code
Leaving vuln.today