CVE-2025-32801: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-32801 affects Kea, a software component, discovered and disclosed on May 28, 2025. The vulnerability allows loading of malicious hook libraries through Kea configuration and API directives. This issue impacts Kea versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8 (ISC KB).

The vulnerability involves the ability to load malicious hook libraries through Kea configuration and API directives. Many common configurations run Kea as root, leave the API entry points unsecured by default, and place the control sockets in insecure paths. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with high impact potential (ISC KB).

If successfully exploited, an attacker with access to a local unprivileged user account can instruct Kea to load a hook library from an arbitrary local file, including files introduced by the attacker. The malicious hook would execute with the privileges available to Kea, which often runs as root, potentially leading to complete system compromise (ISC KB).

Two mitigation approaches are available: 1) Disable the Kea API entirely by disabling the kea-ctrl-agent and removing any 'control-socket' stanzas from the Kea configuration files, or 2) Secure API access by requiring authentication and configuring all 'control-socket' stanzas to use a directory restricted to only trusted users. Additionally, patched versions (2.4.2, 2.6.3, and 2.7.9) have been released to address this vulnerability (ISC KB).

The vulnerability was responsibly disclosed with acknowledgments to Matthias Gerstner from the SUSE security team and Laura Pardo from Red Hat's Product Security Team for bringing this vulnerability to ISC's attention (ISC KB).