CVE-2025-14551
Credential Exposure in Ubuntu Subiquity 24.04.4 via Crash Reports
Publication date: 2026-04-09
Last updated on: 2026-04-17
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | ubuntu_subiquity | 24.04.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1258 | The hardware does not fully clear security-sensitive values, such as keys and intermediate values in cryptographic operations, when debug mode is entered. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Subiquity version 24.04.4 could lead to the leakage of sensitive user credentials, such as plaintext Wi-Fi passwords, during crash reporting. This exposure of sensitive personal data could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information.
The fix implemented prevents sensitive information from being logged by redacting response bodies in logs, thereby mitigating the risk of unauthorized data exposure. This remediation helps align the software with compliance requirements by reducing the risk of sensitive data leakage.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update Subiquity to a version that includes the fix for CVE-2025-14551. The fix introduces a mechanism that prevents sensitive information from being logged by applying a `@redacted_response` decorator to relevant API endpoints.
If updating immediately is not possible, avoid submitting crash reports that include Subiquity logs containing sensitive network configuration or identity data.
Review and clean any existing logs that may contain sensitive information to prevent unauthorized access.
Monitor for updates from Ubuntu or the Subiquity project and apply patches as soon as they become available.
Can you explain this vulnerability to me?
This vulnerability in Ubuntu's Subiquity installer (version 24.04.4) involves the leakage of sensitive user credentials during crash reporting. Specifically, if an installation fails and a user submits a bug report to Launchpad, Subiquity could inadvertently include sensitive information such as the user's plaintext Wi-Fi password in the attached logs.
The root cause was the improper logging of identity data and network secrets during network configuration processes. The fix introduced an API enhancement that uses a `@redacted_response` decorator on certain GET endpoints to ensure that only HTTP response codes are logged, not the full response bodies containing sensitive data.
How can this vulnerability impact me? :
This vulnerability can lead to the exposure of sensitive user credentials, such as plaintext Wi-Fi passwords, through crash report logs submitted during installation failures. If an attacker gains access to these logs, they could obtain network secrets and identity data, potentially compromising network security and user privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the leakage of sensitive user credentials, such as plaintext Wi-Fi passwords, in logs generated by the Subiquity installer during crash reporting. To detect if your system is affected, you should inspect the logs generated by Subiquity for any sensitive information exposure.
You can search for sensitive data in Subiquity logs by using commands that look for common keywords related to credentials, such as Wi-Fi passwords or user credentials.
- grep -i 'password' /var/log/subiquity/*
- grep -i 'wifi' /var/log/subiquity/*
- grep -i 'credential' /var/log/subiquity/*
Additionally, reviewing any crash reports submitted to Launchpad or stored locally that include Subiquity logs may help identify if sensitive data was leaked.