CVE-2025-60892
BaseFortify
Publication date: 2025-11-03
Last updated on: 2025-11-04
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| raspberry_pi | imager | 1.9.6 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Raspberry Pi Imager version 1.9.6 for Windows, specifically in its OS customization feature. The 'public-key authentication' setting mistakenly re-adds a user's id_rsa.pub key from their local Windows machine to the authorized_keys file on the Raspberry Pi, even if the user deletes the key through the user interface. This means the key remains authorized on the device without the user's consent.
How can this vulnerability impact me? :
The vulnerability creates an unintended attack surface by allowing an attacker to potentially use a different SSH key than the one intended by the user to log into the Raspberry Pi device. This could lead to unauthorized access to the device.