CVE-2025-8766 is a container privilege escalation vulnerability identified in certain Multi-Cloud Object Gateway Core images of Red Hat OpenShift Data Foundation 4. The root cause is the /etc/passwd file being created with group-writable permissions during the container image build process. This misconfiguration allows any user who can execute commands inside the container and is a member of the root group to modify the /etc/passwd file. By altering this file, an attacker can add new user entries with arbitrary user IDs, including UID 0, which corresponds to the root user. This effectively grants the attacker full root privileges within the container environment, enabling them to bypass container isolation and potentially escalate privileges further depending on the host configuration. The vulnerability requires the attacker to have command execution capabilities inside the container and membership in the root group, which is a high privilege level but does not require interactive user action. The CVSS v3.1 score is 6.4, reflecting medium severity due to the complexity of exploitation and the need for elevated privileges. No public exploits have been reported so far. The issue highlights the importance of secure container image build practices, especially regarding file permission settings on critical system files like /etc/passwd. Red Hat OpenShift Data Foundation 4 users should review their container images for this misconfiguration and apply vendor patches or rebuild images with corrected permissions. Additionally, runtime security policies should restrict group memberships and command execution capabilities within containers to reduce exploitation risk.

This vulnerability allows an attacker with command execution and root group membership inside a container to escalate privileges to root by modifying the /etc/passwd file. The impact includes full compromise of the container's confidentiality, integrity, and availability, enabling unauthorized access, data manipulation, and potential disruption of containerized workloads. If containers run with elevated privileges or have access to host resources, this could lead to further host compromise or lateral movement within the environment. Organizations relying on Red Hat OpenShift Data Foundation 4 for multi-cloud object storage may face risks of container breaches, data exfiltration, or service disruption. The requirement for root group membership limits the attack surface but does not eliminate risk, especially in environments where container privilege boundaries are not strictly enforced. The vulnerability could also undermine trust in container isolation, affecting compliance and security posture for cloud-native applications.

To mitigate CVE-2025-8766, organizations should: 1) Apply any official patches or updates released by Red Hat addressing this vulnerability promptly. 2) Rebuild affected container images ensuring that /etc/passwd and other critical files have secure, non-group-writable permissions during build time. 3) Implement strict container runtime security policies to prevent unnecessary root group membership within containers. 4) Use container security tools to scan images for insecure file permissions and privilege escalations before deployment. 5) Limit command execution capabilities inside containers, especially for non-root users, using Kubernetes Pod Security Policies or OpenShift Security Context Constraints. 6) Employ runtime monitoring and anomaly detection to identify unauthorized modifications to critical system files inside containers. 7) Follow the principle of least privilege for container users and avoid running containers with elevated privileges unless absolutely necessary. 8) Regularly audit container configurations and group memberships to ensure compliance with security best practices. These steps collectively reduce the likelihood of exploitation and limit the impact if a container is compromised.