CVE-2025-13609 is a vulnerability identified in the keylime component of Red Hat Enterprise Linux 10, related to the use of multiple resources with duplicate identifiers. Keylime is a framework that uses Trusted Platform Module (TPM) devices to attest to the integrity of a system by registering agents uniquely identified by UUIDs. The vulnerability arises when an attacker registers a new agent using a different TPM device but claims the UUID of an existing legitimate agent. This action overwrites the legitimate agent's identity in the system, enabling the attacker to impersonate the compromised agent. Such impersonation can allow the attacker to bypass security controls that rely on agent identity for trust decisions, potentially leading to unauthorized access or manipulation of system resources. The vulnerability has a CVSS 3.1 score of 8.2, indicating high severity. The attack vector is network-based (AV:N), requiring high privileges (PR:H) but no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable one. The impact affects confidentiality (C:L), integrity (I:H), and availability (A:L), with integrity being the most severely impacted due to the identity overwrite and impersonation. No known exploits are currently in the wild, and no patches are explicitly linked yet, but the vulnerability is published and recognized by Red Hat. This flaw can undermine the trust model of TPM-based attestation, critical for secure platform verification and integrity assurance in enterprise environments.

For European organizations, especially those relying on Red Hat Enterprise Linux 10 with keylime for TPM-based attestation and platform integrity verification, this vulnerability poses significant risks. The ability for an attacker to impersonate a legitimate agent by overwriting its identity can lead to unauthorized access to sensitive systems and data, bypassing security controls that depend on trusted agent identities. This can compromise confidentiality and integrity of critical systems, potentially affecting sectors such as finance, government, telecommunications, and critical infrastructure. The availability impact is lower but still present due to possible disruption of agent services. Given the network attack vector and the requirement for high privileges, insider threats or attackers who have already gained elevated access could exploit this vulnerability to escalate their control and evade detection. The scope change indicates that the vulnerability could affect multiple components or systems relying on keylime attestation, amplifying the potential damage. European organizations with stringent compliance requirements around system integrity and security posture may face regulatory and reputational consequences if exploited.

1. Apply official patches and updates from Red Hat as soon as they are released to address CVE-2025-13609. 2. Implement strict validation mechanisms in keylime to ensure that UUIDs cannot be duplicated or overwritten by new TPM device registrations. 3. Monitor logs and alerts for any suspicious activity related to agent registration, especially duplicate UUID claims or unexpected TPM device changes. 4. Restrict permissions for registering TPM devices and agents to trusted administrators only, minimizing the risk of privilege abuse. 5. Employ network segmentation and access controls to limit exposure of keylime services to only necessary and trusted network zones. 6. Conduct regular audits of TPM device registrations and agent identities to detect anomalies early. 7. Integrate keylime attestation results with centralized security information and event management (SIEM) systems for enhanced monitoring and incident response. 8. Educate system administrators about the risks of identity spoofing in TPM attestation and enforce strong operational security practices around agent management.