CVE-2025-64507 is a vulnerability in Incus, a system container and virtual machine manager, specifically affecting versions prior to 6.0.6 and between 6.1.0 and 6.19.0. The flaw stems from improper privilege management (CWE-269) related to handling of custom storage volumes with the 'security.shifted' property set to true. In environments where unprivileged users have root access inside a container and also have unprivileged access on the host, an attacker can exploit this vulnerability to escalate privileges to root on the host system. The attack vector involves creating a custom storage volume with the required property, which depends on kernel and filesystem support, and then writing a setuid binary inside the container. This binary can be executed on the host as an unprivileged user, resulting in root privilege escalation. The vulnerability is particularly relevant in setups using 'incus-user' with the less privileged 'incus' group to provide isolated container access to unprivileged users. The vulnerability does not require authentication or user interaction, making it easier to exploit in affected environments. Although no known exploits have been reported in the wild, the CVSS 8.6 score reflects the high impact on confidentiality, integrity, and availability. A patch is expected in versions 6.0.6 and 6.19.0, but until then, manual restrictions on permissions related to custom storage volumes can mitigate risk. This vulnerability highlights the risks of privilege escalation in containerized environments when storage volume properties are improperly managed.

For European organizations, this vulnerability poses a significant risk of host-level compromise in environments using Incus for container or VM management, especially in multi-tenant or shared user scenarios. Successful exploitation allows attackers to gain root privileges on the host from an unprivileged container user, potentially leading to full system compromise, data breaches, lateral movement, and disruption of critical services. Organizations relying on Incus for isolated container environments may find their security boundaries breached, undermining trust in container isolation. The impact is heightened in sectors with strict data protection regulations such as finance, healthcare, and government, where unauthorized root access can lead to severe compliance violations and reputational damage. Additionally, the ease of exploitation without authentication or user interaction increases the urgency for mitigation. The vulnerability could also facilitate deployment of persistent malware or ransomware at the host level, amplifying operational risks. Given the widespread adoption of container technologies in European IT infrastructures, the threat could affect cloud providers, hosting services, and enterprises using Incus-based container management.

European organizations should immediately inventory their Incus deployments to identify affected versions prior to 6.0.6 and between 6.1.0 and 6.19.0. Until patches are released, administrators should manually restrict permissions on custom storage volumes, particularly those with the 'security.shifted' property, to prevent unprivileged users from creating or modifying these volumes. This may include tightening filesystem ACLs, disabling or limiting the use of the 'security.shifted' property where possible, and restricting access to the 'incus-user' and 'incus' groups. Monitoring and alerting on creation of setuid binaries within containers and unusual container storage volume configurations can help detect exploitation attempts. Organizations should also consider isolating container workloads to minimize unprivileged host access and review kernel and filesystem configurations to limit support for the vulnerable storage volume features. Once patches for versions 6.0.6 and 6.19.0 are available, prompt deployment is critical. Additionally, implementing host-based intrusion detection and regular auditing of container and storage volume permissions will strengthen defenses against exploitation.