CVE-2025-58712 is a container privilege escalation vulnerability identified in certain Apache ActiveMQ Artemis broker container images. The root cause is that during the container image build process, the /etc/passwd file is created with group-writable permissions. This misconfiguration allows any user who has command execution capabilities inside the container and is a member of the root group to modify the /etc/passwd file. By altering this file, the attacker can add a new user entry with any arbitrary user ID, including UID 0, which corresponds to the root user. This effectively grants the attacker full root privileges within the container environment. The vulnerability requires the attacker to already have a high privilege level (root group membership) and command execution inside the container, but does not require any user interaction. The CVSS 3.1 base score is 5.2 (medium), reflecting the need for high privileges and local access but the significant impact on integrity and potential availability. No known public exploits have been reported to date. This vulnerability highlights the importance of secure container image build practices, especially regarding file permissions on critical system files like /etc/passwd. Organizations deploying ActiveMQ Artemis in containerized environments should review their images and build pipelines to ensure proper file permissions and minimize group privileges. Patching or rebuilding images with corrected permissions is recommended once available.

For European organizations, this vulnerability poses a risk primarily in containerized deployments of Apache ActiveMQ Artemis, which is widely used for messaging in enterprise middleware. If exploited, an attacker with access inside the container and root group membership can escalate privileges to root within the container, potentially allowing them to manipulate the broker or pivot to other containerized services. This could lead to data integrity issues, unauthorized message manipulation, and disruption of critical messaging infrastructure. While the vulnerability does not directly allow host-level compromise, improper container isolation or misconfigurations could enable further lateral movement. Organizations in sectors relying heavily on messaging middleware—such as finance, telecommunications, and manufacturing—may face operational disruptions or data breaches. The medium severity indicates a moderate but non-trivial risk, especially in environments where container security best practices are not fully enforced. The lack of known exploits reduces immediate risk but should not lead to complacency.

1. Review and rebuild all Apache ActiveMQ Artemis container images to ensure /etc/passwd and other critical system files have secure, non-group-writable permissions during build time. 2. Limit root group membership inside containers to only absolutely necessary processes and users. 3. Implement strict container runtime security policies that restrict privilege escalation and monitor for unauthorized modifications to system files. 4. Use container image scanning tools to detect insecure file permissions and privilege configurations before deployment. 5. Employ container isolation best practices, including user namespaces and seccomp profiles, to reduce the impact of container-level privilege escalations. 6. Monitor container logs and audit trails for suspicious activities related to user or group modifications. 7. Stay updated with vendor patches or updated container images addressing this vulnerability and apply them promptly once available. 8. Consider adopting immutable container images and avoid running containers with unnecessary elevated privileges.