CVE-2025-61779 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Confidential Containers Trustee project, specifically versions prior to 0.15.0. The Trustee project is responsible for attesting confidential guests and securely providing secrets to them within confidential computing environments. The vulnerability arises because the attestation-policy endpoint fails to verify whether the kbs-client submitting a request is authenticated or holds the correct key. This lack of authentication allows any kbs-client, including unauthorized or malicious clients, to alter the attestation policy arbitrarily. Attestation policies are critical as they define the conditions under which confidential guests are trusted and granted access to secrets. Unauthorized modification of these policies can lead to the acceptance of untrusted or malicious guests, undermining the confidentiality and integrity guarantees of the confidential computing environment. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score of 8.7 reflects the high impact on confidentiality and integrity, with no privileges or user interaction required. The issue was resolved in version 0.15.0 by adding proper authentication checks to the attestation-policy endpoint, ensuring only authorized kbs-clients can modify policies. No known exploits are reported in the wild as of the publication date, but the potential impact warrants immediate attention from users of affected versions.

For European organizations leveraging confidential computing and containerized workloads, this vulnerability poses a significant risk. Unauthorized modification of attestation policies can allow attackers to bypass security controls, potentially enabling untrusted or malicious workloads to access sensitive secrets or data. This compromises confidentiality and integrity, which are paramount in sectors such as finance, healthcare, and government. The ability to remotely exploit this vulnerability without authentication or user interaction increases the attack surface, especially in multi-tenant cloud environments common in Europe. Organizations relying on Confidential Containers Trustee for secure attestation and secret management may face data breaches, regulatory non-compliance (e.g., GDPR), and reputational damage. The vulnerability could also facilitate lateral movement within networks if attackers use compromised policies to escalate privileges or access additional resources. Given the growing adoption of confidential computing in Europe, the impact could be widespread if not promptly mitigated.

The primary mitigation is to upgrade the Confidential Containers Trustee project to version 0.15.0 or later, where the vulnerability is fixed by enforcing authentication on the attestation-policy endpoint. Organizations should audit their current attestation policies to detect any unauthorized changes that may have occurred prior to patching. Implement network segmentation and access controls to restrict which clients can communicate with the Trustee service, minimizing exposure. Employ strong authentication and authorization mechanisms for all components interacting with the Trustee, including kbs-clients. Monitor logs and alerts for unusual policy modification attempts or access patterns. Integrate vulnerability scanning and configuration management to ensure no outdated Trustee versions are deployed. Finally, educate DevOps and security teams about the importance of secure attestation policy management and the risks of this vulnerability to prevent future misconfigurations.