CVE-2025-12801 is a vulnerability discovered in the rpc.mountd daemon component of the nfs-utils package on Red Hat Enterprise Linux 10. The issue arises from incorrect execution-assigned permissions during the mount operation of NFSv3 clients. Normally, access to exported directories is controlled by the /etc/exports file, which specifies which clients can mount directories and what permissions they have, including options like root_squash and all_squash that restrict root or all user privileges from the client side. However, due to this vulnerability, an NFSv3 client can bypass these restrictions and gain access to any subdirectory or subtree within the exported directory, ignoring the intended file permission settings and squash options. This flaw allows privilege escalation at mount time, effectively granting broader access than intended. The vulnerability is exploitable remotely over the network with low complexity and requires only low privileges on the client side, without any user interaction. The CVSS v3.1 score is 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. No public exploits have been reported yet, and no patches are linked in the provided data, indicating that mitigation may currently rely on configuration workarounds or awaiting official updates from Red Hat.

The primary impact of CVE-2025-12801 is unauthorized access to sensitive data stored on NFS exports. Attackers exploiting this vulnerability can bypass access controls and view or read files in subdirectories that should be restricted, potentially exposing confidential or sensitive information. This can lead to data leakage and compromise of confidentiality. Since the vulnerability does not affect integrity or availability, attackers cannot modify or delete files or disrupt service directly via this flaw. However, unauthorized data access can have serious consequences, including compliance violations, intellectual property theft, and exposure of personally identifiable information. Organizations relying on NFSv3 exports in Red Hat Enterprise Linux 10 environments are at risk, especially those with sensitive data shared over NFS. The network-exposed nature of rpc.mountd increases the attack surface, and the ease of exploitation without user interaction raises the likelihood of targeted or opportunistic attacks once exploits become available.

To mitigate CVE-2025-12801, organizations should first monitor Red Hat advisories for official patches and apply them promptly once released. Until patches are available, administrators should review and tighten /etc/exports configurations by limiting exported directories to only necessary clients and paths, avoiding broad subtree exports. Disabling NFSv3 in favor of NFSv4, which has improved security features, can reduce exposure. Implement network-level controls such as firewall rules to restrict access to rpc.mountd ports (typically port 892) to trusted hosts only. Use TCP wrappers or SELinux policies to limit rpc.mountd access. Regularly audit NFS export permissions and logs to detect unusual mount attempts or access patterns. Consider deploying intrusion detection systems to monitor for anomalous NFS traffic. Finally, educate system administrators about the risks of exporting directories with overly permissive options like no_root_squash and encourage least privilege principles in NFS configurations.