How to fix EUVD-2025-19240?

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Monitor vendor channels for patch availability.

Is Ubuntu affected by EUVD-2025-19240?

Organizations using Ceph should be aware of notable risk from CVE-2025-52555, a improper privilege management vulnerability rated CVSS 6.5. Attackers could gain access beyond their authorized level. Organizations should apply vendor updates when available and monitor for exploitation.

EUVD-2025-19240

| CVE-2025-52555 MEDIUM

2025-06-26 [email protected]

6.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:N

Attack Vector

Adjacent

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

EUVD ID Assigned

Mar 15, 2026 - 23:54 euvd

EUVD-2025-19240

Analysis Generated

Mar 15, 2026 - 23:54 vuln.today

CVE Published

Jun 26, 2025 - 21:15 nvd

MEDIUM 6.5

Description

Ceph is a distributed object, block, and file storage platform. In versions 17.2.7, 18.2.1 through 18.2.4, and 19.0.0 through 19.2.2, an unprivileged user can escalate to root privileges in a ceph-fuse mounted CephFS by chmod 777 a directory owned by root to gain access. The result of this is that a user could read, write and execute to any directory owned by root as long as they chmod 777 it. This impacts confidentiality, integrity, and availability. It is patched in versions 17.2.8, 18.2.5, and 19.2.3.

Analysis

Technical Context

Privilege escalation allows a low-privileged user or process to gain elevated permissions beyond what was originally authorized. This vulnerability is classified as Improper Privilege Management (CWE-269).

Remediation

Apply the principle of least privilege. Keep systems patched. Monitor for suspicious privilege changes. Use mandatory access controls (SELinux, AppArmor).

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +32

POC: 0

Vendor Status

Ubuntu

Priority: Medium

ceph

Release	Status	Version
upstream	released	17.2.8,18.2.5,19.2.3
oracular	ignored	end of life, was needs-triage
jammy	not-affected	17.2.9-0ubuntu0.22.04.1
bionic	not-affected	code not present
noble	not-affected	19.2.3-0ubuntu1.24.04.1
focal	not-affected	code not present
plucky	not-affected	19.2.3-0ubuntu1.25.04.1
trusty	not-affected	code not present
questing	not-affected	19.2.3-0ubuntu1.25.10.1
xenial	not-affected	code not present

Debian

Bug #1108410

ceph

Release	Status	Fixed Version	Urgency
bullseye	fixed	14.2.21-1+deb11u1	-
bullseye (security)	fixed	14.2.21-1+deb11u3	-
bookworm, bookworm (security)	vulnerable	16.2.15+ds-0+deb12u1	-
trixie	fixed	18.2.7+ds-1	-
forky, sid	fixed	18.2.7+ds-1.1	-
(unstable)	fixed	18.2.6-1	-

DLA-4310-1

EUVD-2025-19240 vulnerability details – vuln.today

Back

EUVD-2025-19240

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

EUVD-2025-19240

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Remediation

Priority Score

Vendor Status

Ubuntu

Debian

Share

External POC / Exploit Code