Cyber Resilience

CVE-2025-23015

High

Published: 04 February 2025

Published
04 February 2025
Modified
14 July 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0041 61.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23015 is a high-severity Privilege Defined With Unsafe Actions (CWE-267) vulnerability in Apache Cassandra. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 38.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-23015 is a Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra, classified under CWE-267. It affects Apache Cassandra versions through 3.0.30, 3.11.17, 4.0.15, 4.1.7, and 5.0.2. The flaw allows a user with MODIFY permission on all keyspaces to perform unsafe actions against a system resource, enabling privilege escalation to superuser within a targeted Cassandra cluster. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker requires low privileges—specifically, MODIFY permission on all keyspaces—and can exploit this over the network with low complexity and no user interaction. Successful exploitation grants superuser privileges in the Cassandra cluster, potentially allowing full control over the database, data manipulation, or further lateral movement. Operators who have granted broad MODIFY permissions across all keyspaces are particularly at risk and should audit access controls for potential breaches.

Apache advisories recommend upgrading to remediated versions: 3.0.31, 3.11.18, 4.0.16, 4.1.8, or 5.0.3, which address the issue. Additional guidance is available in the Apache security announcement and related oss-security mailing list posts, as well as vendor-specific advisories like NetApp's NTAP-20250214-0006.

EU & UK References

Vulnerability details

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on…

more

all keyspaces on affected versions should review data access rules for potential breaches. This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.15, 4.1.7, 5.0.2. Users are recommended to upgrade to versions 3.0.31, 3.11.18, 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a privilege escalation flaw allowing a low-privileged user (with MODIFY on all keyspaces) to gain superuser access via exploitation of unsafe permission handling in Apache Cassandra.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27314Same product: Apache Cassandra
CVE-2026-40048Same vendor: Apache
CVE-2026-24072Same vendor: Apache
CVE-2026-42809Same vendor: Apache
CVE-2026-30898Same vendor: Apache
CVE-2026-2460Shared CWE-267
CVE-2026-49157Same vendor: Apache
CVE-2026-39816Same vendor: Apache
CVE-2026-0945Shared CWE-267
CVE-2025-69219Same vendor: Apache

Affected Assets

apache
cassandra
3.0.0 — 3.0.31 · 3.1 — 3.11.18 · 4.0.0 — 4.0.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the privilege escalation flaw by identifying, reporting, and correcting vulnerabilities through timely upgrades to patched Apache Cassandra versions.

prevent

Prevents exploitation by enforcing least privilege, ensuring users do not receive excessive MODIFY permissions on all keyspaces that enable unsafe privilege-escalating actions.

prevent

Manages Cassandra user accounts and permissions to avoid granting broad MODIFY access on all keyspaces, mitigating the risk of privilege escalation.

References