CVE-2025-8766 is a security vulnerability identified in Red Hat OpenShift Data Foundation 4, specifically affecting certain Multi-Cloud Object Gateway Core container images. The root cause is the incorrect default file permissions assigned to the /etc/passwd file during the container image build process, where it is created with group-writable permissions. This misconfiguration allows users who have command execution capabilities inside the container and belong to the root group to modify the /etc/passwd file. By altering this file, an attacker can add new user entries with arbitrary user IDs, including UID 0, which corresponds to the root user. This effectively enables privilege escalation from a non-root user to root within the container environment. The vulnerability requires the attacker to have a high privilege level (membership in the root group) and local access to the container to execute commands. No user interaction is needed for exploitation. The vulnerability impacts confidentiality, integrity, and availability within the container by allowing unauthorized root access, potentially leading to full control over containerized workloads. The CVSS 3.1 base score is 6.4, reflecting medium severity due to the requirement for elevated privileges and local access. No public exploits have been reported yet, but the flaw poses a significant risk in multi-tenant or shared container environments where privilege boundaries are critical. The issue highlights the importance of secure container image build practices, especially regarding file permissions for sensitive system files like /etc/passwd.

The primary impact of CVE-2025-8766 is unauthorized privilege escalation within affected container environments. An attacker who can execute commands inside the container and is a member of the root group can gain root-level privileges by modifying the /etc/passwd file. This can lead to full control over the container, allowing the attacker to manipulate container processes, access sensitive data, or pivot to other parts of the infrastructure if container isolation is weak. For organizations, this vulnerability undermines the security guarantees of containerization, potentially leading to data breaches, service disruptions, or lateral movement within cloud or on-premises environments. The impact is especially critical in multi-tenant environments or managed Kubernetes/OpenShift clusters where container isolation is essential. Although the vulnerability requires some level of privilege and local access, the ability to escalate to root privileges within containers can facilitate further attacks and compromise of workloads. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the potential severity if exploited.

Organizations should immediately review and update their container build pipelines to ensure that sensitive files such as /etc/passwd are created with secure, non-group-writable permissions. Specifically, the /etc/passwd file should have permissions set to 644 or more restrictive to prevent unauthorized modifications. Red Hat users should apply any patches or updates provided for OpenShift Data Foundation 4 as soon as they are released. Additionally, restrict membership of the root group within containers to only trusted processes and users to minimize the risk of exploitation. Implement runtime security controls and monitoring to detect unusual modifications to critical system files inside containers. Employ container security best practices such as running containers with the least privilege, using read-only root filesystems where feasible, and leveraging security contexts and policies (e.g., SELinux, AppArmor, or OpenShift SCCs) to limit container capabilities. Regularly audit container images for insecure file permissions and conduct penetration testing to identify privilege escalation vectors. Finally, consider isolating sensitive workloads and using multi-factor authentication and strong access controls for container management interfaces.