CVE-2025-12548
Published: 13 January 2026
Summary
CVE-2025-12548 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 36.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
A flaw was found in Eclipse Che che-machine-exec that exposes an unauthenticated JSON-RPC and websocket API on TCP port 3333. The issue, tracked as CVE-2025-12548 and assigned CWE-306, permits remote attackers to execute arbitrary commands and exfiltrate secrets such as SSH keys and tokens from other users' Developer Workspace containers. It carries a CVSS 3.1 score of 9.0.
Unauthenticated remote attackers can reach the API without credentials and target containers belonging to other users, achieving command execution and secret theft across workspace boundaries. The attack requires network access and leverages the lack of authentication on the exposed service, with the CVSS vector indicating low attack complexity once initial access is obtained.
Red Hat has published multiple errata (RHSA-2025:22620, RHSA-2025:22623, RHSA-2025:22652) along with a Bugzilla entry that address the vulnerability and provide mitigation guidance for affected Eclipse Che deployments.
EPSS for the CVE rose from lower values after the January 2026 disclosure to a peak of 0.5155 on 2026-04-21 before receding to the current 0.4520, indicating a material increase in exploitation interest several months post-publication.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-2332
Vulnerability details
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port…
more
3333.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote exploitation of a service for arbitrary Unix shell command execution (T1210, T1059.004) and direct exfiltration of credentials in files including private SSH keys and tokens (T1552.001, T1552.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization checks before permitting any access to the unauthenticated JSON-RPC/websocket API on port 3333.
Requires unique identification and authentication of users before allowing access to the che-machine-exec service, eliminating the unauthenticated entry point.
Restricts network-level access to TCP port 3333 and enforces boundary controls that would block remote attackers from reaching workspace containers across user boundaries.