CVE-2025-57851
Container Privilege Escalation in Multicluster Engine via /etc/passwd Permissions
Publication date: 2026-04-08
Last updated on: 2026-05-01
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | advanced_cluster_management_for_kubernetes | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to escalate privileges within a container to root level by modifying the /etc/passwd file due to improper group-writable permissions. Such unauthorized privilege escalation can lead to unauthorized access to sensitive data and system controls.
From a compliance perspective, this could impact adherence to standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data. If exploited, the vulnerability could result in unauthorized data access or modification, potentially leading to data breaches or violations of regulatory requirements.
Therefore, organizations using affected Multicluster Engine for Kubernetes images should consider this vulnerability a risk to their compliance posture and take appropriate remediation steps to prevent privilege escalation and protect sensitive information.
Can you explain this vulnerability to me?
CVE-2025-57851 is a container privilege escalation vulnerability found in certain Multicluster Engine for Kubernetes images. The root cause is that the /etc/passwd file is created with group-writable permissions during build time. This improper permission setting allows an attacker who can run commands inside the affected container, even as a non-root user, to exploit their membership in the root group to modify the /etc/passwd file.
By modifying the /etc/passwd file, the attacker can add a new user with any arbitrary user ID (UID), including UID 0, which is the root user. This effectively grants the attacker full root privileges within the container.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with limited privileges inside a container to escalate their privileges to full root access within that container. This means the attacker can perform any action that the root user can, potentially compromising the container's security and any applications or data running inside it.
Such privilege escalation can lead to unauthorized access, data manipulation, or disruption of services within the container environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the permissions of the /etc/passwd file inside the affected containers. Specifically, you need to verify if the /etc/passwd file has group-writable permissions, which is the root cause of the issue.
- Run the command: ls -l /etc/passwd
- If the output shows group-writable permissions (e.g., -rw-rw-r--), the container is vulnerable.
Additionally, verify if the user executing commands inside the container is a member of the root group, as this membership is required to exploit the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves correcting the permissions of the /etc/passwd file within affected containers to remove group-writable access.
- Change the permissions of /etc/passwd to remove group write access by running: chmod 644 /etc/passwd
- Ensure that container images are rebuilt without assigning group-writable permissions to /etc/passwd during build time.
- Limit the membership of users in the root group inside containers to reduce the risk of exploitation.