CVE-2025-32801

Kea configuration and API directives can be used to load a malicious hook library.  Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
iscCNA
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Debian logo
Debian Releases
Debian Product
Codename
isc-kea
bookworm
vulnerable
trixie
2.6.3-1
fixed
forky
2.6.4-1
fixed
sid
2.6.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
isc-kea
plucky
needed
oracular
ignored
noble
needed
jammy
not-affected
focal
not-affected
bionic
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://kb.isc.org/docs/cve-2025-32801