CVE-2025-23196
Published: 21 January 2025
Summary
CVE-2025-23196 is a high-severity Command Injection (CWE-77) vulnerability in Apache Ambari. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A code injection vulnerability exists in Apache Ambari's Alert Definition feature. The flaw occurs when the script filename field supplied during alert definition is passed directly to a shell via `sh -c`, enabling arbitrary command execution. The affected component is the alert scripting mechanism within Ambari, and the issue is tracked as CWE-77 with a CVSS 3.1 score of 8.8.
An authenticated user with access to define alerts can supply a malicious filename that results in remote code execution on the Ambari server, potentially allowing full compromise of the host. No special user interaction or network-adjacent access is required beyond valid credentials.
Public advisories on the Apache mailing lists and OSS-Security list confirm that the vulnerability has been addressed in the latest Ambari releases, recommending that deployments upgrade to patched versions to eliminate the command-injection vector.
EPSS remains low at 0.0202 with no material increase since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3140
Vulnerability details
A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using `sh -c`. An attacker…
more
with authenticated access can exploit this vulnerability to inject malicious commands, leading to remote code execution on the server. The issue has been fixed in the latest versions of Ambari.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The command injection vulnerability (via sh -c on script filename) directly enables remote code execution on the Ambari server application, mapping to exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by requiring validation of untrusted inputs like the script filename field executed via sh -c.
Ensures timely patching of the specific code injection flaw fixed in latest Ambari versions.
Limits damage from RCE by enforcing least privilege on Ambari server processes and restricting alert definition access to necessary roles.