Cyber Resilience

CVE-2025-12548

Critical

Published: 13 January 2026

Published
13 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0116 63.2th percentile
Risk Priority 80 floored blend · peak EPSS

Summary

CVE-2025-12548 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 36.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

A flaw was found in Eclipse Che che-machine-exec that exposes an unauthenticated JSON-RPC and websocket API on TCP port 3333. The issue, tracked as CVE-2025-12548 and assigned CWE-306, permits remote attackers to execute arbitrary commands and exfiltrate secrets such as SSH keys and tokens from other users' Developer Workspace containers. It carries a CVSS 3.1 score of 9.0.

Unauthenticated remote attackers can reach the API without credentials and target containers belonging to other users, achieving command execution and secret theft across workspace boundaries. The attack requires network access and leverages the lack of authentication on the exposed service, with the CVSS vector indicating low attack complexity once initial access is obtained.

Red Hat has published multiple errata (RHSA-2025:22620, RHSA-2025:22623, RHSA-2025:22652) along with a Bugzilla entry that address the vulnerability and provide mitigation guidance for affected Eclipse Che deployments.

EPSS for the CVE rose from lower values after the January 2026 disclosure to a peak of 0.5155 on 2026-04-21 before receding to the current 0.4520, indicating a material increase in exploitation interest several months post-publication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port…

more

3333.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1552.001 Credentials In Files Credential Access
Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials.
T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
Why these techniques?

Vulnerability enables remote exploitation of a service for arbitrary Unix shell command execution (T1210, T1059.004) and direct exfiltration of credentials in files including private SSH keys and tokens (T1552.001, T1552.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-27020Shared CWE-306
CVE-2025-13779Shared CWE-306
CVE-2026-27182Shared CWE-306
CVE-2026-22727Shared CWE-306
CVE-2020-37157Shared CWE-306
CVE-2023-54344Shared CWE-306
CVE-2025-21198Shared CWE-306
CVE-2026-4272Shared CWE-306
CVE-2019-25483Shared CWE-306
CVE-2023-54342Shared CWE-306

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization checks before permitting any access to the unauthenticated JSON-RPC/websocket API on port 3333.

prevent

Requires unique identification and authentication of users before allowing access to the che-machine-exec service, eliminating the unauthenticated entry point.

prevent

Restricts network-level access to TCP port 3333 and enforces boundary controls that would block remote attackers from reaching workspace containers across user boundaries.

References