CVE-2025-9039
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-14

Last updated on: 2025-08-15

Assigner: AMZN

Description
We identified an issue in the Amazon ECS agent where, under certain conditions, an introspection server could be accessed off-host by another instance if the instances are in the same security group or if their security groups allow incoming connections that include the port where the server is hosted. This issue does not affect instances where the option to allow off-host access to the introspection server is set to 'false'. This issue has been addressed in ECS agent version 1.97.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes. If customers cannot update to the latest AMI, they can modify the Amazon EC2 security groups to restrict incoming access to the introspection server port (51678).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-14
Last Modified
2025-08-15
Generated
2026-05-06
AI Q&A
2025-08-14
EPSS Evaluated
2026-05-05
NVD
CVE-2025-9039
EUVD
EUVD-2025-24858
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
amazon ecs_agent 1.97.0
amazon ecs_agent 1.97.1
amazon ecs_agent 0.0.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-277 A product defines a set of insecure permissions that are inherited by objects that are created by the program.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Amazon ECS agent where, under certain conditions, an introspection server can be accessed from another instance if both instances are in the same security group or if their security groups allow incoming connections on the introspection server's port (51678). This means that unauthorized instances could potentially access internal information exposed by the introspection server. The issue does not affect instances where off-host access to the introspection server is disabled. It has been fixed in ECS agent version 1.97.1.


How can this vulnerability impact me? :

If exploited, this vulnerability could allow unauthorized instances within the same security group or with permissive security group rules to access the introspection server on an ECS instance. This could lead to exposure of sensitive internal information or configuration details that the introspection server provides, potentially aiding further attacks or information leakage.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

You can detect this vulnerability by checking if the introspection server port 51678 is accessible from other instances within the same security group or from instances allowed by security group rules. For example, use network scanning tools like 'nmap' to scan port 51678 on your instances: nmap -p 51678 <instance-ip>. Additionally, verify the ECS agent version on your instances to see if it is older than 1.97.1, which is vulnerable.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading the Amazon ECS agent to version 1.97.1 or later. If upgrading is not possible, modify the Amazon EC2 security groups to restrict incoming access to port 51678, ensuring that only trusted sources can connect. Also, verify that the option to allow off-host access to the introspection server is set to 'false' if applicable.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart