Cyber Resilience

CVE-2025-64420

CriticalPublic PoC

Published: 05 January 2026

Published
05 January 2026
Modified
12 January 2026
KEV Added
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0050 38.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2025-64420 is a critical-severity Insufficiently Protected Credentials (CWE-522) vulnerability in Coollabs Coolify. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Private Keys (T1552.004); ranked at the 38.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-64420 is a critical vulnerability in Coolify, an open-source and self-hostable tool for managing servers, applications, and databases. In versions prior to and including v4.0.0-beta.434, low-privileged users can access the private key of the root user on the Coolify instance. This issue, tied to CWE-522 (Insufficiently Protected Credentials), carries a CVSS v3.1 base score of 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H), reflecting its severe potential impact.

An attacker with low privileges and network access to the Coolify instance can exploit this vulnerability with low complexity and no user interaction required. By viewing the exposed root private key, they can use it to authenticate via SSH directly as the root user on the server, achieving full administrative control. This grants high-impact privileges over confidentiality, integrity, and availability across the affected system's scope.

The primary reference, a GitHub security advisory (GHSA-qwxj-qch7-whpc), states that as of the CVE's publication on 2026-01-05, it remains unclear if a patch is available. Administrators should limit low-privileged user access, monitor the Coolify repository for updates, and audit exposed credentials in affected deployments until official mitigation guidance is released.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This…

more

allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.004 Private Keys Credential Access
Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials.
T1021.004 SSH Lateral Movement
Adversaries may use [Valid Accounts](https://attack.
Why these techniques?

Direct exposure of root private key (T1552.004) enables SSH authentication as root (T1021.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-22612Same product: Coollabs Coolify
CVE-2025-22609Same product: Coollabs Coolify
CVE-2025-64423Same product: Coollabs Coolify
CVE-2025-64421Same product: Coollabs Coolify
CVE-2025-66209Same product: Coollabs Coolify
CVE-2025-64419Same product: Coollabs Coolify
CVE-2025-22606Same product: Coollabs Coolify
CVE-2025-22605Same product: Coollabs Coolify
CVE-2025-64424Same product: Coollabs Coolify
CVE-2025-59158Same product: Coollabs Coolify

Affected Assets

coollabs
coolify
4.0.0 · ≤ 4.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

IA-5 mandates protection of authenticators like the root private key from unauthorized disclosure to low-privileged users.

prevent

AC-6 enforces least privilege, preventing low-privileged users from accessing root private keys needed for SSH escalation.

prevent

AC-3 requires enforcement of access control policies to block low-privileged users from viewing sensitive root credentials in the Coolify interface.

References