CVE-2025-12744
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-03

Last updated on: 2025-12-04

Assigner: Fedora Project

Description
A flaw was found in the ABRT daemon’s handling of user-supplied mount information.ABRT copies up to 12 characters from an untrusted input and places them directly into a shell command (docker inspect %s) without proper validation. An unprivileged local user can craft a payload that injects shell metacharacters, causing the root-running ABRT process to execute attacker-controlled commands and ultimately gain full root privileges.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-03
Last Modified
2025-12-04
Generated
2026-06-16
AI Q&A
2025-12-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12744
EUVD
EUVD-2025-200735
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
red_hat abrt *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a command injection flaw in the ABRT daemon on Linux systems. ABRT takes up to 12 characters from user-supplied mount information and inserts them directly into a shell command (docker inspect) without validating or sanitizing the input. This allows a local unprivileged user to inject shell metacharacters and execute arbitrary commands with root privileges, leading to full system compromise. [1]

Impact Analysis

If exploited, this vulnerability allows a local unprivileged user to escalate their privileges to root by injecting malicious commands into the ABRT daemon's shell command. This can lead to complete system compromise, including unauthorized access, data manipulation, and control over the affected system. [1]

Detection Guidance

Detection involves checking for the presence of the vulnerable ABRT daemon and monitoring for suspicious usage of the 'docker inspect' command with unusual or malformed container IDs that may include shell metacharacters. Since exploitation requires local access to ABRT's UNIX socket, inspecting local user activity and ABRT logs for unexpected command executions or errors related to 'docker inspect' may help. Specific commands could include: 1) Checking for ABRT process: `ps aux | grep abrt` 2) Monitoring recent commands involving docker inspect: `journalctl -u abrt | grep 'docker inspect'` or searching shell history for suspicious docker inspect usage. However, no explicit detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include restricting local user access to the ABRT UNIX socket to prevent unprivileged users from interacting with the ABRT daemon, applying any available patches or updates from the vendor that address this vulnerability, and disabling or limiting the use of ABRT if it is not essential. Since the vulnerability involves unsanitized input in ABRT's handling of mount information, ensuring that ABRT runs with least privilege and monitoring for unusual activity can also help reduce risk until a patch is applied. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12744. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart