CVE-2025-61667 is a vulnerability in the Datadog Linux Host Agent versions 7.65.0 through 7.70.2 caused by incorrect default permissions on the directory opt/datadog-agent/python-scripts/__pycache__. This directory contains Python bytecode files executed by the agent during installation or upgrade processes. Because the directory permissions are insufficiently restrictive, a local attacker with low privileges can modify or replace files within __pycache__, which will then be executed with higher privileges during the agent upgrade. This results in local privilege escalation, allowing the attacker to gain elevated system rights. The vulnerability requires local access and a valid low-privilege account but does not require user interaction or network access. The issue is specific to the Linux Host Agent; containerized, Kubernetes, Windows, and other Datadog agent variants are unaffected. The vulnerability is tracked under CWE-276 (Incorrect Default Permissions) and has a CVSS 4.0 score of 7 (high severity). Datadog addressed this issue in version 7.71.0 by correcting the directory permissions to prevent unauthorized modifications.

For European organizations, this vulnerability poses a significant risk especially in environments where the Datadog Linux Host Agent is deployed for monitoring and observability. An attacker with local access and a low-privilege account could exploit this flaw to escalate privileges, potentially gaining root or administrative control over the host system. This could lead to unauthorized access to sensitive data, disruption of monitoring services, and further lateral movement within the network. Given the critical role of monitoring agents in infrastructure management, compromise could undermine incident detection and response capabilities. Organizations in sectors with strict regulatory requirements for data protection (e.g., finance, healthcare, critical infrastructure) could face compliance violations and reputational damage if exploited. The requirement for local access limits remote exploitation but insider threats or compromised low-privilege accounts remain a concern.

European organizations should immediately upgrade all affected Datadog Linux Host Agent installations to version 7.71.0 or later, where the permission issue is resolved. Until upgrades can be performed, restrict local access to hosts running the vulnerable agent by enforcing strict access controls and monitoring for suspicious activity. Implement host-based intrusion detection systems to detect unauthorized file modifications in the datadog-agent directories. Review and harden file system permissions on the opt/datadog-agent/python-scripts/__pycache__ directory to ensure only privileged users can modify its contents. Conduct regular audits of user accounts and privileges to minimize the risk of low-privilege account compromise. Additionally, consider isolating monitoring agents on dedicated hosts or containers to limit the blast radius of potential exploits. Maintain up-to-date backups and incident response plans to quickly recover from any compromise.