CVE-2025-67745 is a vulnerability classified under CWE-402 (Transmission of Private Resources into a New Sphere, or resource leak) affecting the MyHoard daemon developed by Aiven-Open. MyHoard is used to create, manage, and restore MySQL backups. In versions from 1.0.1 up to but not including 1.3.0, the daemon improperly logs detailed backup information, including the encryption keys used to secure the backups. This logging behavior results in sensitive cryptographic material being written to log files, which can be accessed by unauthorized users if log files are improperly secured or exposed. The vulnerability can be exploited remotely over the network with low privileges and does not require user interaction, increasing the risk of automated or stealthy attacks. The impact is primarily on confidentiality, as exposure of encryption keys can lead to unauthorized decryption of backup data, potentially compromising sensitive organizational information. Integrity impact is low since the vulnerability does not directly allow data modification, and availability is not affected. The issue was addressed in MyHoard version 1.3.0 by removing the logging of sensitive information. As an interim mitigation, administrators are advised to redirect logs to /dev/null to prevent sensitive data from being written to disk. No known exploits are reported in the wild as of the publication date. The CVSS v3.1 base score is 7.1, reflecting a high severity due to network attack vector, low attack complexity, and high confidentiality impact.

For European organizations, the exposure of encryption keys through logs can lead to severe confidentiality breaches, allowing attackers to decrypt MySQL backups and access sensitive data such as personal information, financial records, or intellectual property. This can result in regulatory non-compliance, especially under GDPR, leading to legal penalties and reputational damage. Organizations relying on MyHoard for backup management in sectors like finance, healthcare, and critical infrastructure are particularly at risk. The vulnerability could facilitate lateral movement or data exfiltration if attackers gain access to logs. Although no known exploits exist currently, the ease of exploitation and the sensitive nature of the leaked data make this a significant threat. The impact on data integrity and system availability is minimal, but the confidentiality compromise alone warrants urgent remediation.

European organizations should immediately upgrade MyHoard to version 1.3.0 or later, where the vulnerability is fixed. Until patching is possible, administrators should configure the daemon to redirect logs to /dev/null or an equivalent secure logging sink that prevents sensitive data from being stored on disk. Additionally, organizations should audit existing log files for exposure of encryption keys and rotate any compromised encryption keys used for backups. Access controls on log files should be tightened to restrict unauthorized access. Monitoring for unusual access patterns to backup logs and implementing network segmentation to limit access to backup management systems can reduce risk. Regular security reviews of backup and logging configurations should be conducted to prevent similar issues. Finally, organizations should consider encrypting logs or using secure logging frameworks that avoid storing sensitive information in plaintext.