Cyber Resilience

CVE-2026-25499

HighPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0043 34.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25499 is a high-severity Path Traversal (CWE-22) vulnerability in Bpg Terraform Provider. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 34.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and CM-6 (Configuration Settings).

Deeper analysis

CVE-2026-25499 is a vulnerability in the bpg/terraform-provider-proxmox, a Terraform and OpenTofu provider that adds support for Proxmox Virtual Environment. In versions prior to 0.93.1, the SSH configuration documentation suggests an insecure sudoers line that allows directory traversal via "../" sequences, enabling the modification of arbitrary files on the affected system. Published on 2026-02-04, the issue is associated with CWE-22 (Path Traversal) and CWE-1188, and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), emphasizing high integrity impact.

Exploitation requires a Proxmox host configured with the recommended sudoers line from the vulnerable documentation, granting SSH access to an attacker as the specified user. With network access and no privileges, authentication, or user interaction needed, the attacker can escape the intended directory to edit any system files, potentially leading to unauthorized changes, misconfigurations, or further compromise of the Proxmox environment.

The vulnerability has been addressed in version 0.93.1 of the provider. GitHub security advisories (GHSA-gwch-7m8v-7544) and the patching commit (bd604c41a31e2a55dd6acc01b0608be3ea49c023) on the bpg/terraform-provider-proxmox repository detail the fix and recommend upgrading to the patched version while reviewing and correcting any deployed insecure sudoers configurations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system…

more

to be edited. This issue has been patched in version 0.93.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
T1548.003 Sudo and Sudo Caching Privilege Escalation
Adversaries may perform sudo caching and/or use the sudoers file to elevate privileges.
Why these techniques?

The path traversal in the documented sudoers configuration directly allows a low-privileged SSH user to perform arbitrary file modifications, enabling local privilege escalation (T1068) by abusing the sudo elevation control mechanism (T1548.003) to write to sensitive system files.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2016-20041Shared CWE-22
CVE-2025-66429Shared CWE-22
CVE-2025-54307Shared CWE-22
CVE-2026-20688Shared CWE-22
CVE-2026-32060Shared CWE-22
CVE-2026-20614Shared CWE-22
CVE-2025-48567Shared CWE-22
CVE-2026-20615Shared CWE-22
CVE-2026-28827Shared CWE-22
CVE-2025-55282Shared CWE-22

Affected Assets

bpg
terraform provider
≤ 0.93.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Least privilege directly mitigates the insecure sudoers configuration by restricting SSH users from having permissions that allow directory traversal and arbitrary file modifications on Proxmox hosts.

prevent

Secure configuration settings ensure sudoers files are not configured per the vulnerable documentation, preventing path traversal vulnerabilities in Proxmox environments.

prevent

Information input validation at file path interfaces blocks directory traversal sequences like '../' that the insecure sudoers line enables for arbitrary file edits.

References