CVE-2025-14551
Published: 09 April 2026
Summary
CVE-2025-14551 is a high-severity Exposure of Sensitive System Information Due to Uncleared Debug Information (CWE-1258) vulnerability in Canonical Ubuntu Subiquity. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Credentials In Files (T1552.001); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-11 (Error Handling).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Error handling in Subiquity crash reporting directly prevents disclosure of sensitive credentials like plaintext Wi-Fi passwords in generated logs.
Mandates review and restriction of publicly accessible content, such as crash logs attached to Launchpad bug reports, to exclude sensitive user credentials.
Requires filtering of sensitive information from outputs to external destinations like Launchpad prior to transmission in crash reports.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability causes plaintext credentials to be written into crash log files due to missing sanitization, directly enabling access to unsecured credentials stored on disk.
NVD Description
In Ubuntu, Subiquity version 24.04.4 could leak sensitive user credentials during crash reporting. Upon installation failure, if a user submitted a bug report to Launchpad, Subiquity could include certain user credentials, such as the user's plaintext Wi-Fi password, in the…
more
attached logs.
Deeper analysisAI
CVE-2025-14551 affects Subiquity version 24.04.4, the server installer component in Ubuntu. The vulnerability involves the unintended leakage of sensitive user credentials, such as plaintext Wi-Fi passwords, in crash logs generated during installation failures. If a user submits these logs as a bug report to Launchpad, the credentials are included in the publicly attached files, violating expected data handling in crash reporting. This issue is classified under CWE-1258 (improper handling of sensitive information due to missing design/input validation) with a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H), indicating high severity due to network accessibility, low complexity, and significant impacts on confidentiality and availability.
Exploitation requires low privileges (PR:L) on the affected system during the Ubuntu installation process using Subiquity 24.04.4. An attacker could trigger an installation failure, leading to crash log generation, and if the user or attacker submits the report to Launchpad, the plaintext credentials become publicly accessible over the network without user interaction beyond the submission. Successful exploitation allows remote attackers to obtain high-impact confidentiality breaches, such as Wi-Fi passwords, and potentially high availability disruption from the installation crash, though the primary concern is the exposure of credentials in public bug reports.
Mitigation is addressed through patches in the canonical/subiquity GitHub repository, specifically pull requests #2357 and #2358, which resolve the credential inclusion in crash logs. Security practitioners should ensure Subiquity is updated beyond version 24.04.4, advise users against submitting crash reports from affected installations to Launchpad, and review any existing public bug reports for exposed credentials.
Details
- CWE(s)