CVE-2025-32801

EUVD-2025-16210
Kea configuration and API directives can be used to load a malicious hook library.  Many common configurations run Kea as root, leave the API entry points unsecured by default, and/or place the control sockets in insecure paths.
This issue affects Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
iscCNA
7.8 HIGH
LOCAL
LOW
LOW
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 3%
Debian logo
Debian Releases
Debian Product
Codename
isc-kea
bookworm
vulnerable
forky
3.0.2-2
fixed
sid
3.0.2-2
fixed
trixie
2.6.3-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
isc-kea
bionic
not-affected
focal
not-affected
jammy
not-affected
noble
ignored
oracular
ignored
plucky
ignored
questing
not-affected
xenial
not-affected
Common Weakness Enumeration
References
https://kb.isc.org/docs/cve-2025-32801