CVE-2025-29266
Published: 31 March 2025
Summary
CVE-2025-29266 is a critical-severity Authentication Bypass by Alternate Name (CWE-289) vulnerability in Unraid WebGUI (inferred from references). Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 15.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the authentication bypass flaw by requiring identification, reporting, and correction via patching to Unraid 7.0.1 or later.
Mandates control and authentication of remote access methods, blocking unauthenticated exploitation of WebGUI and web console from adjacent networks.
Enforces secure baseline configuration settings to prohibit risky container setups like host networking mode with Tailscale that expose vulnerable interfaces.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in WebGUI/web console when exposed via Host networking + Tailscale directly enables exploitation of a remotely accessible application for initial root access.
NVD Description
Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled.
Deeper analysisAI
CVE-2025-29266 is an authentication bypass vulnerability affecting Unraid OS version 7.0.0 before 7.0.1, specifically in the WebGUI and web console components. It arises when a container is configured to run in Host networking mode with the Use Tailscale option enabled, allowing remote users to access these interfaces as root without any authentication. The vulnerability is classified under CWE-289 (Authentication Bypass by Assumed-Immutable Data) and carries a CVSS v3.1 base score of 9.6 (AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H), indicating high severity due to its potential for complete system compromise.
Attackers on an adjacent network (AV:A) can exploit this issue with low complexity and no required privileges or user interaction. Exploitation requires the presence of a container running in Host networking mode with Tailscale enabled, after which remote users can directly access the Unraid WebGUI and web console as root. Successful exploitation grants high-impact confidentiality, integrity, and availability violations, including full administrative control over the host system.
Unraid addresses this vulnerability in version 7.0.1, as detailed in the official release notes. Security practitioners should upgrade to Unraid 7.0.1 or later and review container configurations to disable Tailscale or avoid Host networking mode where possible. Additional details are available in the Unraid WebGUI GitHub repository and advisories from edac.dev.
Details
- CWE(s)