CVE-2025-14503
Excessive IAM Trust Policy in Harmonix AWS Enables Privilege Escalation
Publication date: 2025-12-15
Last updated on: 2025-12-17
Assigner: AMZN
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| awslabs | harmonix | 0.4.2 |
| awslabs | harmonix | 0.3.0 |
| awslabs | harmonix | 0.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an overly permissive IAM trust policy in the Harmonix on AWS framework, specifically in the sample EKS environment provisioning role. The role is configured to trust the AWS account root principal, which is overly permissive. This misconfiguration allows any authenticated account principal with sts:AssumeRole permissions to assume the role with administrative privileges, leading to privilege escalation. Essentially, users who should not have administrative access can gain it by exploiting this trust policy. [1, 2]
How can this vulnerability impact me? :
The vulnerability can allow authenticated users within an AWS account to escalate their privileges by assuming a role with administrative rights. This can lead to unauthorized access and control over AWS resources, potentially compromising confidentiality, integrity, and availability of the environment. Attackers could misuse administrative privileges to manipulate or disrupt services, access sensitive data, or cause other security breaches. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, monitor AWS CloudTrail logs for AssumeRole events where the requestParameters.roleArn matches the ARN of the provisioning role, typically named with the pattern '*-eks-*-provisioning-role'. This can help identify unauthorized role assumption attempts. You can use AWS CLI commands such as `aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole` and filter the results for the specific role ARN. Additionally, review IAM trust policies to check if the provisioning role trusts the AWS account root principal, which is overly permissive. [2]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are to upgrade Harmonix on AWS to version v0.4.2 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, manually review and restrict the IAM trust policies for the EKS environment provisioning role by removing trust from the AWS account root principal to prevent unauthorized role assumption. This reduces the risk of privilege escalation until the upgrade can be applied. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA. However, given that the vulnerability allows privilege escalation and potentially compromises confidentiality, integrity, and availability of AWS accounts, it could indirectly affect compliance by increasing the risk of unauthorized access to sensitive data. Organizations subject to such regulations should address this vulnerability promptly to maintain compliance. [1, 2]