CVE-2025-64507 is a vulnerability in Incus, a system container and virtual machine manager developed by the lxc project, affecting versions prior to 6.0.6 and between 6.1.0 and 6.19.0. The flaw arises from improper privilege management (CWE-269) related to the handling of custom storage volumes with the 'security.shifted' property set to true. In environments where unprivileged users have root access inside a container and also have unprivileged access on the host, these users can exploit this vulnerability by creating a custom storage volume with the required property. This enables them to write a setuid binary inside the container, which can then be executed on the host as an unprivileged user, resulting in privilege escalation to root on the host system. The attack vector requires local access but no authentication or user interaction, making it relatively easy to exploit in multi-user environments. The vulnerability is particularly relevant in setups using 'incus-user' with the 'incus' group to provide restricted container access to unprivileged users. The issue is dependent on kernel and filesystem support for the 'security.shifted' property. The vendor has planned patches in versions 6.0.6 and 6.19.0 to address this issue. Until patches are applied, manual restriction of permissions on storage volumes can serve as a temporary mitigation. The CVSS 4.0 base score of 8.6 reflects the high impact on confidentiality, integrity, and availability due to the ability to gain root privileges on the host from a containerized environment.

For European organizations, this vulnerability poses a significant risk in environments utilizing Incus for container or VM management, especially where multiple users share access and unprivileged users have container root access. Successful exploitation leads to full host compromise, allowing attackers to bypass container isolation, access sensitive data, modify system configurations, deploy persistent malware, or disrupt services. This undermines the security benefits of containerization and virtualization, potentially affecting critical infrastructure, cloud services, and enterprise IT systems. Organizations in sectors with strict data protection regulations (e.g., GDPR) face additional compliance risks if breaches occur. The vulnerability's ease of exploitation without authentication or user interaction increases the urgency for remediation. The lack of known exploits in the wild currently reduces immediate threat but does not eliminate the risk of future attacks, especially as the vulnerability becomes publicly known.

European organizations should prioritize upgrading Incus to versions 6.0.6 or 6.19.0 or later where the vulnerability is patched. Until patches are deployed, administrators must manually restrict permissions on custom storage volumes, particularly those with the 'security.shifted' property, to prevent unprivileged users from creating or modifying setuid binaries. Implement strict access controls and monitoring on container storage volumes and host filesystem mounts to detect unauthorized changes. Limit the number of users with container root access and avoid granting unprivileged users simultaneous host access where possible. Employ kernel and filesystem configurations that do not support or restrict the 'security.shifted' property if feasible. Regularly audit container and host environments for suspicious activity and enforce least privilege principles. Additionally, incorporate this vulnerability into incident response plans and vulnerability management workflows to ensure timely detection and remediation.