Cyber Resilience

CVE-2025-4598

MediumPublic PoCUpdated

Published: 30 May 2025

Published
30 May 2025
Modified
19 May 2026
KEV Added
Patch
CVSS Score v3.1 4.7 CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0011 29.3th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-4598 is a medium-severity Signal Handler Race Condition (CWE-364) vulnerability in Systemd Project Systemd. Its CVSS base score is 4.7 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique /etc/passwd and /etc/shadow (T1003.008); ranked at the 29.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

EU & UK References

Vulnerability details

A vulnerability was found in systemd-coredump. This flaw allows an attacker to force a SUID process to crash and replace it with a non-SUID binary to access the original's privileged process coredump, allowing the attacker to read sensitive data, such…

more

as /etc/shadow content, loaded by the original process. A SUID binary or process has a special type of permission, which allows the process to run with the file owner's permissions, regardless of the user executing the binary. This allows the process to access more restricted data than unprivileged users or processes would be able to. An attacker can leverage this flaw by forcing a SUID process to crash and force the Linux kernel to recycle the process PID before systemd-coredump can analyze the /proc/pid/auxv file. If the attacker wins the race condition, they gain access to the original's SUID process coredump file. They can read sensitive content loaded into memory by the original binary, affecting data confidentiality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1003.008 /etc/passwd and /etc/shadow Credential Access
Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking.
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
Why these techniques?

CVE-2025-4598 in systemd-coredump enables local unprivileged attackers to exploit a race condition on SUID process crashes, accessing privileged core dumps containing sensitive data like /etc/shadow (T1003.008) through exploitation for credential access (T1212).

Affected Assets

systemd project
systemd
≤ 252.37 · 253 — 253.32 · 254 — 254.25
redhat
openshift container platform
4.0
redhat
enterprise linux
10.0, 7.0, 8.0, 9.0
debian
debian linux
11.0, 12.0
oracle
linux
8, 9
linux
linux kernel
≤ 6.16

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References