CVE-2025-32803 is a vulnerability identified in ISC Kea DHCP server versions 2.4.0 through 2.4.1, 2.6.0 through 2.6.2, and 2.7.0 through 2.7.8. The issue stems from incorrect default file permissions (CWE-276) applied to certain Kea files, specifically log files and lease files, which may be world-readable. This means that any user or process on the system, regardless of privilege level, could potentially read sensitive DHCP operational data. Lease files contain information about IP address assignments to clients, including MAC addresses and lease durations, while log files may contain operational details and potentially sensitive network information. The vulnerability has a CVSS 3.1 base score of 4.0, indicating a medium severity level. The vector string (AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) shows that the attack vector is local (AV:L), requiring low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The impact is limited to confidentiality (C:L), with no impact on integrity or availability. There are no known exploits in the wild at this time, and no patches are linked in the provided information, suggesting that remediation may require manual configuration changes or awaiting an official patch from ISC. The vulnerability arises because default permissions on these files are too permissive, exposing sensitive DHCP data to unauthorized local users or processes, which could be leveraged for reconnaissance or further attacks within the network environment.

For European organizations, this vulnerability could lead to unauthorized disclosure of DHCP lease and log information if an attacker gains local access to affected systems. This exposure could facilitate network reconnaissance, allowing attackers to map internal IP address allocations and device identities, potentially aiding lateral movement or targeted attacks. While the vulnerability does not directly allow modification or disruption of DHCP services, the confidentiality breach could undermine network security posture. Organizations with multi-tenant environments or shared hosting where local user separation is critical may be particularly at risk. Additionally, compliance with European data protection regulations such as GDPR could be impacted if sensitive network information is exposed, especially if DHCP logs contain any personal data or identifiers. The medium severity rating suggests that while the risk is not critical, it should be addressed promptly to prevent potential escalation or exploitation in conjunction with other vulnerabilities or insider threats.

To mitigate this vulnerability, European organizations should immediately audit the file permissions of Kea DHCP server log and lease files on all affected versions. Permissions should be restricted to the minimum necessary, typically allowing read/write access only to the Kea service user and administrators. Implementing strict access control lists (ACLs) or using filesystem-level security features such as SELinux or AppArmor can further restrict unauthorized access. Organizations should monitor local user activities and review system logs for any unauthorized access attempts. Where possible, upgrade to a fixed version of Kea once ISC releases a patch addressing this issue. Until a patch is available, consider isolating DHCP servers to trusted administrative environments with limited local user access. Additionally, employ network segmentation to limit exposure of DHCP servers and sensitive network infrastructure. Regular security audits and configuration management should be enforced to ensure permissions remain correctly set over time.