CVE-2025-32801

Summary

Kea configuration and API directives can be used to load a malicious hook library. Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths. This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.

Affected Software

VendorProductVersion RangeStatus
ISCKea2.4.0 <= 2.4.1affected
ISCKea2.6.0 <= 2.6.2affected
ISCKea2.7.0 <= 2.7.8affected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

Workarounds

Two mitigation approaches are possible: (1) Disable the Kea API entirely, by (1a) disabling the kea-ctrl-agent, and (1b) removing any &#34;control-socket&#34; stanzas from the Kea configuration files; or (2) Secure access to the API by (2a) requiring authentication (a password or client certificate) for the kea-ctrl-agent, and (2b) configuring all &#34;control-socket&#34; stanzas to use a directory restricted to only trusted users.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References