Cyber Resilience

CVE-2025-0928

HighPublic PoC

Published: 08 July 2025

Published
08 July 2025
Modified
08 January 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0232 85.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0928 is a high-severity Improper Authorization (CWE-285) vulnerability in Canonical Juju. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 14.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-5 (Access Restrictions for Change).

Deeper analysis

The vulnerability CVE-2025-0928 affects Juju versions prior to 3.6.8 and 2.9.52. It stems from missing authorization checks that permit any authenticated controller user to upload arbitrary agent binaries to any model or the controller itself, without verifying model membership or requiring explicit permissions. The issue is tracked under CWE-285 and CWE-434 and carries a CVSS 3.1 score of 8.8.

An authenticated controller user can exploit the flaw to upload poisoned binaries that are later distributed to new or upgraded machines, resulting in remote code execution on those systems.

The referenced GitHub security advisory identifies the fixed releases as 3.6.8 and 2.9.52.

The associated EPSS score shows no material change, remaining flat at a peak and current value of 0.0232.

EU & UK References

Vulnerability details

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of…

more

poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1105 Ingress Tool Transfer Command And Control
Adversaries may transfer tools or other files from an external system into a compromised environment.
Why these techniques?

Vuln in exposed Juju controller allows unauthorized malicious binary upload (CWE-434/285) that gets distributed and executed for RCE, directly enabling T1190 exploitation and T1105 ingress transfer.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-5412Same product: Canonical Juju
CVE-2026-4370Same product: Canonical Juju
CVE-2025-53513Same product: Canonical Juju
CVE-2026-32692Same product: Canonical Juju
CVE-2026-32693Same product: Canonical Juju
CVE-2025-15480Same vendor: Canonical
CVE-2026-34179Same vendor: Canonical
CVE-2026-2269Shared CWE-434
CVE-2025-25783Shared CWE-434
CVE-2025-14551Same vendor: Canonical

Affected Assets

canonical
juju
≤ 2.9.52 · 3.0 — 3.6.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to upload agent binaries to models and controllers, directly preventing unauthorized distribution due to improper model membership and permission checks.

prevent

Restricts and manages access by authenticated users to perform changes such as binary uploads, mitigating the ability of low-privilege controller users to poison binaries across models.

prevent

Requires verification of component authenticity for agent binaries prior to installation or execution on new or upgrading machines, blocking poisoned binaries from remote code execution.

References