CVE-2025-32802 is a vulnerability identified in ISC Kea, a widely used open-source DHCP server software. The flaw is categorized under CWE-73, which involves external control of file names or paths. Specifically, the vulnerability allows an attacker to leverage Kea's configuration and API directives to overwrite arbitrary files on the host system. This capability is contingent upon the permissions granted to the Kea process. Notably, many default or common Kea deployments run the service with root privileges, expose API entry points without adequate security controls, and place control sockets in insecure filesystem locations. These factors collectively increase the risk and potential impact of exploitation. The affected versions include Kea 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. The vulnerability has a CVSS v3.1 base score of 6.1, indicating a medium severity level. The CVSS vector (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) reflects that exploitation requires local access with low privileges, no user interaction, and results in no confidentiality impact but causes integrity loss and high availability impact. There are no known exploits in the wild at this time, and no official patches have been linked yet. The vulnerability arises from insufficient access control and insecure default configurations, which allow external inputs to influence file paths used by Kea, enabling unauthorized file overwrites that can disrupt DHCP services or potentially facilitate privilege escalation or further system compromise.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on ISC Kea for DHCP services in critical network infrastructure. Successful exploitation can lead to denial of service by corrupting DHCP configurations or service files, causing network outages or degraded service availability. Given that many deployments run Kea as root, attackers could overwrite sensitive system files, potentially enabling privilege escalation or persistent backdoors. This could disrupt enterprise networks, data centers, or ISPs, impacting business continuity and service reliability. Additionally, compromised DHCP services can lead to broader network security issues, such as unauthorized IP address allocation or man-in-the-middle attacks. The medium severity rating reflects the need for local access and low privileges, which somewhat limits remote exploitation but does not eliminate risk from insider threats or attackers who have gained initial footholds. The lack of user interaction requirement increases the risk of automated or scripted exploitation once local access is obtained.

To mitigate this vulnerability, European organizations should first audit their Kea deployments to identify affected versions (2.4.0-2.4.1, 2.6.0-2.6.2, 2.7.0-2.7.8). Immediate steps include: 1) Restricting Kea process privileges by running it under a dedicated, non-root user with minimal permissions strictly necessary for operation. 2) Securing API entry points by implementing strong authentication and network access controls to prevent unauthorized local or remote access. 3) Relocating control sockets to secure filesystem paths with restricted permissions to prevent unauthorized manipulation. 4) Monitoring and logging API usage and file system changes related to Kea to detect suspicious activity. 5) Applying any forthcoming patches or updates from ISC promptly once available. 6) Conducting regular configuration reviews to ensure no insecure defaults remain. 7) Employing host-based intrusion detection systems to alert on unexpected file modifications. These targeted measures go beyond generic advice by focusing on the specific vectors exploited by this vulnerability and the typical insecure configurations that exacerbate risk.