KEA DHCP, Cyrus-IMAPD Flaws Risk System Privilege Escalation

Altus Intel
Altus Intel
  • Date Time

In the DHCP server, used by various distributions of configurations kea , developed by the ISC consortium as a replacement for the classic ISC DHCP, revealed vulnerabilities, in some situations allowing a local user to execute a code with ROOT rights or rewrite any file in the system:

  • CVE-2025-32801-allows a local user to get a ROOT priority in systems in which the KEA is launched under the ROOT user, or to get full control over the KEA server in systems that launch the KEA under the user with cut privileges. The attack is carried out through an appeal to the REST API provided by the KEA-CTRL-Agent service and by default to accept requests via Localhost: 8000. Most configurations of REST API are available for all local users of the system without authentication.

    operation is carried out through the command of the command Set-Config, which allows you to control the settings of all KEA services. Among other things, the team can be used to change the “Hooks-Libraries” parameter, which affects the loading of additional libraries. The attacker can achieve the performance of his code in the context of KEA services through the substitution of his library, the function with the attribute “Constructor” from which will be caused when the library is opened with the Dlopen () function.

    curl -x post -h “Content -type: Application/JSON” -D ‘{{ “Command”: “Config-Set”, “Argements”: {“Control-Agent”: {“Hooks-Libraries”: [{“Library”: “/home/someuser/libexploit.so”}}} Localhost: 8000

  • CVE-2025-32802-Vulnerability makes it possible to use the Config-Write command in REST API to rewrite any file in the system, as far as the user’s rights, under which KEA is executed, allow. The attacker can control the recorded content, but the data is recorded in JSON format and should include the correct KEA settings. Nevertheless, it is not excluded that this may be enough to launch commands with Root rights through manipulation with files in the /etc/profile.d catalog. Curl -x Post -h “Content -type: Application/Json” -d ‘{“Command”: “Config -Write”, “Argments”: {“Filename”: “/etc/evil.conf”}’ ” ‘ Localhost: 8000

    separately mentioned several scenarios for using the Config-Write team to change KEA settings. For example, you can redirect the log files to the arbitrary place of the file system, organize the spell of the control of unix service services, or block the KEA.

  • cve-2025-32803-logs (/var/log/kea*.log), as well as files /var/lib/kea/ke/*.cvs, containing information about the binding of IP addresses (DHCP Lease) and related data are available to everyone to read.
/Reports, release notes, official announcements.

© 2025 - Altus Intel