CVE-2025-22248 is a critical vulnerability affecting VMware's Bitnami PostgreSQL-related containerized deployments, specifically the bitnami/pgpool Docker image and the bitnami/postgres-ha Kubernetes Helm chart. Under default configurations, these deployments include a 'repmgr' user account that allows unauthenticated access to the PostgreSQL database cluster. The vulnerability arises because the PGPOOL_SR_CHECK_USER, which Pgpool uses internally to perform streaming replication health checks, is configured with a trust authentication level rather than requiring credentials. This misconfiguration enables an attacker to log into the PostgreSQL database cluster using the repmgr user without any authentication. If the Pgpool service is exposed externally, an attacker can exploit this to gain unauthorized access to the database, potentially leading to full compromise of the database cluster. The vulnerability is classified under CWE-1188, which relates to improper authentication mechanisms. The CVSS 4.0 score is 9.4 (critical), reflecting high impact on confidentiality, integrity, and availability, with no authentication or user interaction required, and exploitation possible over an adjacent network. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make this a significant threat to any organization using these Bitnami PostgreSQL container images or Helm charts in default configurations. The vulnerability affects all versions of the affected products, emphasizing the need for immediate remediation.

For European organizations, this vulnerability poses a severe risk, especially those relying on containerized PostgreSQL deployments using Bitnami's pgpool and postgres-ha charts. Unauthorized access to the database cluster can lead to data breaches involving sensitive personal data protected under GDPR, resulting in regulatory penalties and reputational damage. The integrity of critical business data could be compromised, enabling attackers to alter or delete data, disrupt services, or use the database as a pivot point for further network intrusion. Availability impacts could arise if attackers disrupt replication or database operations, affecting business continuity. Organizations in sectors such as finance, healthcare, telecommunications, and government, which often deploy Kubernetes and containerized databases for scalability and resilience, are particularly at risk. The exposure of Pgpool externally increases the attack surface, and given the default configuration issue, many deployments may be vulnerable without explicit hardening. The critical severity and ease of exploitation mean that attackers do not require credentials or user interaction, increasing the likelihood of exploitation if the service is exposed.

European organizations should immediately audit their Kubernetes clusters and Docker deployments using Bitnami's pgpool and postgres-ha images to determine if they are running default configurations exposing the repmgr user without authentication. Specific mitigation steps include: 1) Restrict external exposure of Pgpool services by enforcing network policies, firewall rules, or ingress controls to limit access only to trusted internal networks or VPNs. 2) Modify the Pgpool configuration to require proper authentication for the PGPOOL_SR_CHECK_USER and repmgr accounts, replacing trust authentication with password or certificate-based authentication. 3) Rotate or disable the repmgr user if it is not required for operational purposes. 4) Update to patched versions once VMware/Bitnami releases them; until then, apply configuration hardening as a temporary measure. 5) Monitor logs and network traffic for unauthorized access attempts to the database cluster. 6) Employ Kubernetes security best practices such as Role-Based Access Control (RBAC) and Pod Security Policies to limit container privileges. 7) Conduct penetration testing and vulnerability scanning focused on database access controls. These targeted actions go beyond generic advice by focusing on the specific misconfiguration and exposure vectors identified in this vulnerability.