CVE-2025-23391: 
vulnerability analysis and mitigation

CVE-2025-23391 is a critical Incorrect Privilege Assignment vulnerability discovered in SUSE Rancher, disclosed on April 11, 2025. The vulnerability affects Rancher versions from 2.8.0 before 2.8.14, from 2.9.0 before 2.9.8, and from 2.10.0 before 2.10.4. This security flaw allows a Restricted Administrator to change the password of Administrators and take over their accounts (NVD, Security Online).

The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H. The issue is classified as CWE-266 (Incorrect Privilege Assignment) and specifically relates to how Rancher handles permissions for Restricted Administrators. The vulnerability violates the principle of least privilege, as it allows users with limited administrative rights to modify the credentials of users with higher privileges (NVD, GitHub Advisory).

The exploitation of this vulnerability allows a Restricted Administrator to gain unauthorized access to Administrator accounts by changing their passwords, potentially leading to complete control over the Rancher platform. However, Rancher deployments where the Restricted Administrator role is not being used are not affected by this vulnerability (GitHub Advisory).

SUSE has released patches to address this vulnerability in versions v2.8.14, v2.9.8, v2.10.4, and v2.11.0. The fix implements permission checks ensuring that users without manage-users permissions cannot edit users with higher privileges. For organizations unable to upgrade immediately, recommended workarounds include limiting Rancher Restricted Admin access to trusted users only and downgrading Restricted Administrators to custom roles with limited permissions (GitHub Advisory).