Vulnerabilities ›

CVE-2025-57851

Medium

CWE-276 — Weakness Type

                    Published: Apr 8, 2026                      ·  Modified: Apr 11, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

A container privilege escalation flaw was found in certain Multicluster Engine for Kubernetes images. This issue stems from the /etc/passwd file being created with group-writable permissions during build time. In certain conditions, an attacker who can execute commands within an affected container, even as a non-root user, can leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.

🤖 AI Executive Summary

CVE-2025-57851 is a container privilege escalation vulnerability in Multicluster Engine for Kubernetes where /etc/passwd is created with group-writable permissions during build time. Non-root users in the root group can modify this file to add arbitrary users with UID 0, achieving full root privileges within containers. With no patch currently available and medium CVSS score of 6.4, this poses significant risk to containerized deployments in Saudi organizations running Kubernetes infrastructure.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 14, 2026 03:40

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability primarily impacts Saudi organizations operating Kubernetes clusters, particularly: (1) Government agencies and NCA infrastructure using containerized applications for digital transformation initiatives; (2) Banking sector (SAMA-regulated institutions) running microservices architectures; (3) Telecommunications providers (STC, Mobily) with containerized network functions; (4) Energy sector (ARAMCO, SEC) utilizing Kubernetes for operational technology; (5) Healthcare organizations deploying containerized medical systems. The vulnerability allows lateral privilege escalation within containers, potentially compromising sensitive data and critical services.

🏢 Affected Saudi Sectors

Government Banking Telecommunications Energy Healthcare Cloud Service Providers

🎯 MITRE ATT&CK Techniques

T1548.001 - Abuse Elevation Control Mechanism: Setuid and Setgid T1548.003 - Abuse Elevation Control Mechanism: Sudo and Sudo Caching T1548.004 - Abuse Elevation Control Mechanism: Elevated Execution with Prompt T1134.001 - Access Token Manipulation: Token Impersonation or Theft T1547.001 - Boot or Logon Initialization Scripts: Logon Script (Windows) T1543.001 - Create or Modify System Process: Launch Agent T1611 - Escape to Host

⚖️ Saudi Risk Score (AI)

7.2

/ 10.0

🔧 Remediation Steps (English)

Immediate Actions:

1. Audit all Multicluster Engine for Kubernetes deployments to identify affected versions

2. Implement strict container image scanning policies to detect group-writable /etc/passwd permissions

3. Review container runtime security policies and enforce read-only root filesystems where possible



Compensating Controls (until patch available):

1. Restrict container execution to specific non-root users and prevent root group membership

2. Implement Pod Security Standards (PSS) with restricted profile to limit container capabilities

3. Use securityContext in Kubernetes manifests: set fsGroup restrictions and readOnlyRootFilesystem: true

4. Deploy network policies to isolate container traffic and limit lateral movement

5. Enable audit logging for all container privilege escalation attempts

6. Implement runtime security monitoring (Falco, Sysdig) to detect /etc/passwd modifications



Detection Rules:

1. Monitor for write operations to /etc/passwd from non-root processes

2. Alert on UID 0 user creation attempts within containers

3. Track group membership changes in root group

4. Monitor container escape attempts and privilege escalation patterns



Patching Guidance:

1. Monitor Red Hat and Kubernetes security advisories for official patches

2. Prepare container image rebuild procedures with corrected file permissions (644 for /etc/passwd)

3. Implement image signing and verification to prevent unauthorized modifications

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع نشرات Multicluster Engine for Kubernetes لتحديد الإصدارات المتأثرة

2. تنفيذ سياسات فحص صور الحاويات الصارمة للكشف عن أذونات /etc/passwd القابلة للكتابة من قبل المجموعة

3. مراجعة سياسات أمان وقت تشغيل الحاويات وفرض أنظمة ملفات الجذر للقراءة فقط حيث أمكن

الضوابط التعويضية (حتى توفر التصحيح):

1. تقييد تنفيذ الحاويات لمستخدمين غير جذر محددين ومنع عضوية مجموعة الجذر

2. تنفيذ معايير أمان Pod (PSS) مع ملف تعريف مقيد لتحديد قدرات الحاويات

3. استخدام securityContext في بيانات Kubernetes: تعيين قيود fsGroup و readOnlyRootFilesystem: true

4. نشر سياسات الشبكة لعزل حركة الحاويات وتحديد الحركة الجانبية

5. تفعيل تسجيل التدقيق لجميع محاولات تصعيد امتيازات الحاويات

6. تنفيذ مراقبة أمان وقت التشغيل (Falco, Sysdig) للكشف عن تعديلات /etc/passwd

قواعد الكشف:

1. مراقبة عمليات الكتابة إلى /etc/passwd من عمليات غير جذر

2. تنبيهات محاولات إنشاء مستخدم UID 0 داخل الحاويات

3. تتبع تغييرات عضوية المجموعة في مجموعة الجذر

4. مراقبة محاولات الهروب من الحاويات وأنماط تصعيد الامتيازات

إرشادات التصحيح:

1. مراقبة استشارات أمان Red Hat و Kubernetes للحصول على التصحيحات الرسمية

2. تحضير إجراءات إعادة بناء صور الحاويات برمز أذونات مصحح (644 لـ /etc/passwd)

3. تنفيذ التوقيع على الصور والتحقق منها لمنع التعديلات غير المصرح بها

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.5.1.1 - Access Control Policies ECC 2024 A.8.1.1 - User Endpoint Devices ECC 2024 A.8.2.1 - Privileged Access Rights ECC 2024 A.8.2.3 - Access Restriction and Authentication ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Software, platforms, and applications are cataloged SAMA CSF PR.AC-1 - Identities and credentials are issued and managed SAMA CSF PR.AC-4 - Access rights are managed based on the principle of least privilege SAMA CSF DE.CM-8 - Malicious code is detected SAMA CSF RS.MI-2 - Incidents are mitigated

🟡 ISO 27001:2022

ISO 27001:2022 A.5.3 - Segregation of duties ISO 27001:2022 A.8.2 - User access management ISO 27001:2022 A.8.3 - User responsibilities ISO 27001:2022 A.12.6 - Management of technical vulnerabilities ISO 27001:2022 A.14.2 - Development and change management

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Establish configuration standards PCI DSS 6.2 - Ensure security patches are installed PCI DSS 7.1 - Limit access to system components PCI DSS 8.1 - Assign unique user IDs

🔗 References & Sources 2

🔗

https://access.redhat.com/security/cve/CVE-2025-57851

secalert@redhat.com

🔗

https://bugzilla.redhat.com/show_bug.cgi?id=2391104

secalert@redhat.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Attack VectorL — Low / Local

Attack ComplexityH — High

Privileges RequiredH — High

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-276

EPSS0.01%

Exploit No

Patch ✗ No

Published 2026-04-08

Source Feed nvd

🇸🇦 Saudi Risk Score

7.2

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-276

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2025-57851

Introduce Yourself

Sign In Required