CVE-2025-58712 is a container privilege escalation vulnerability identified in certain Red Hat RHEL-9 based middleware container images, notably AMQ Broker images. The root cause is the /etc/passwd file being created with group-writable permissions during the container image build process. This misconfiguration allows any user who can execute commands inside the container and who is a member of the root group to modify the /etc/passwd file. By altering this file, the attacker can add a new user entry with an arbitrary user ID, including UID 0, which corresponds to the root user. This effectively grants the attacker full root privileges within the container environment. The vulnerability requires that the attacker already have command execution capabilities inside the container and membership in the root group, making the attack complexity high. The CVSS v3.1 score is 5.2 (medium), reflecting limited confidentiality impact but high integrity impact and low availability impact. No user interaction is required, and the scope is unchanged as the privilege escalation is confined to the container. There are no known exploits in the wild at the time of publication. The vulnerability highlights the importance of secure container image build practices, particularly regarding file permissions and group memberships. Red Hat and container users should monitor for patches and updates addressing this issue and audit their container images for similar misconfigurations.

For European organizations deploying Red Hat RHEL-9 based middleware containers, especially those using AMQ Broker images, this vulnerability poses a risk of container-level privilege escalation. An attacker who gains limited access to the container environment and belongs to the root group can escalate to root privileges, potentially allowing them to manipulate container processes, access sensitive data within the container, or pivot to other parts of the infrastructure if container isolation is weak. While the vulnerability does not directly compromise the host system, it undermines container security and could facilitate lateral movement or persistence within containerized environments. This is particularly concerning for organizations relying heavily on containerized middleware for critical applications, such as financial services, telecommunications, and government sectors prevalent in Europe. The medium severity rating indicates that while exploitation is not trivial, the impact on integrity is significant. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits over time. Organizations with automated container deployment pipelines may inadvertently propagate vulnerable images, increasing exposure.

1. Immediately audit all Red Hat RHEL-9 based middleware container images, especially AMQ Broker images, for /etc/passwd file permissions and group memberships. 2. Modify the container build process to ensure /etc/passwd is created with secure permissions (non-group-writable) and verify this in CI/CD pipelines. 3. Restrict root group membership within containers to the minimum necessary users and processes. 4. Apply any vendor-provided patches or updated container images from Red Hat as soon as they become available. 5. Implement runtime container security monitoring to detect unauthorized modifications to critical files like /etc/passwd. 6. Use container security tools to enforce least privilege and prevent privilege escalation attempts. 7. Isolate containers with strict namespace and cgroup configurations to limit the impact of container-level compromises. 8. Educate development and operations teams on secure container image creation and privilege management best practices. 9. Regularly scan container images for vulnerabilities and misconfigurations using automated tools integrated into the CI/CD pipeline. 10. Consider adopting immutable container images where possible to prevent runtime modifications.