CVE-2025-13609

High

Published: 24 November 2025

Published

24 November 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

EPSS Score 0.0009 26.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-13609 is a high-severity Use of Multiple Resources with Duplicate Identifier (CWE-694) vulnerability. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Impersonation (T1684.001); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-3 (Device Identification and Authentication).

Threat & Defense at a Glance

What attackers do: exploitation maps to Impersonation (T1684.001) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-4 Identifier Management good match

prevent

Ensures unique management of identifiers like UUIDs to prevent their reuse or overwriting by agents with different TPM devices.

IA-3 Device Identification and Authentication good match

prevent

Requires robust device identification and authentication tied to specific TPM hardware, blocking impersonation attempts during agent registration.

AC-2 Account Management good match

prevent

Manages agent accounts including registration, validation, and deactivation to authorize only legitimate agent identities and prevent overwrites.

MITRE ATT&CK Enterprise TechniquesAI

T1684.001 Impersonation Stealth

Adversaries may impersonate a trusted person or organization in order to persuade and trick a target into performing some action on their behalf.

attack.mitre.org →

T1078 Valid Accounts Stealth

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

T1211 Exploitation for Stealth Stealth

Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.

attack.mitre.org →

Why these techniques?

The vulnerability directly enables impersonation of legitimate Keylime agents by overwriting their UUID registration with a different TPM (T1656), facilitating the abuse of valid agent accounts/identities (T1078) and exploitation for defense evasion by bypassing attestation security controls (T1211).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate…

agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

Deeper analysisAI

CVE-2025-13609 is a vulnerability in keylime that allows an attacker to register a new agent using a different Trusted Platform Module (TPM) device while claiming the unique identifier (UUID) of an existing legitimate agent. This overwrites the legitimate agent's identity, enabling the attacker to impersonate the agent and potentially bypass security controls that rely on agent identity verification. Published on 2025-11-24, the issue is scored 8.2 under CVSS v3.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L) and maps to CWE-694.

The attack requires network access, low complexity, no user interaction, and high privileges (PR:H), with a scope change (S:C). A privileged attacker can exploit this by performing the malicious registration, achieving high integrity impact (I:H) through impersonation, along with low confidentiality (C:L) and availability (A:L) impacts, potentially undermining keylime's attestation and integrity measurement mechanisms.

Red Hat has issued multiple errata addressing CVE-2025-13609, including RHSA-2025:23201, RHSA-2025:23210, RHSA-2025:23628, RHSA-2025:23735, and RHSA-2025:23852, which provide mitigations such as updated keylime packages for affected Red Hat products.

Details

CWE(s): CWE-694

References

https://access.redhat.com/errata/RHSA-2025:23201
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:23210
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:23628
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:23735
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2025:23852
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:0429
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2025-13609
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2416761
secalert@redhat.com
https://github.com/keylime/keylime/issues/1820
secalert@redhat.com