CVE-2025-8904 is a critical security vulnerability identified in Amazon EMR (Elastic MapReduce) versions 6.10 through 7.4. The issue stems from the Amazon EMR Secret Agent component creating a keytab file containing Kerberos credentials and storing it in the /tmp/ directory. The /tmp/ directory is typically world-accessible on Unix-like systems, meaning any user with access to the system can read files stored there. Because the keytab file contains sensitive Kerberos credentials in a recoverable format, an attacker with access to the /tmp/ directory and a separate user account on the same system can decrypt these keys. This decryption enables the attacker to escalate privileges, potentially gaining higher-level access within the EMR cluster environment. The vulnerability is classified under CWE-257 (Storing Passwords in a Recoverable Format), highlighting the insecure storage of authentication material. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), privileges required are low (PR:L), no user interaction (UI:N), and high impacts on confidentiality, integrity, and availability (all H). Although no known exploits are currently reported in the wild, the critical severity score of 9.0 underscores the urgency of remediation. Amazon advises users to upgrade to EMR version 7.5 or higher, where the issue is resolved. For versions between 6.10 and 7.4, applying the provided bootstrap scripts and RPM fixes is strongly recommended to mitigate the vulnerability. This vulnerability is particularly concerning in multi-tenant or shared environments where multiple users have access to the same EMR cluster, as it could allow lateral movement and privilege escalation within the cluster.

For European organizations, the impact of CVE-2025-8904 can be significant, especially for those relying on Amazon EMR for big data analytics, processing, and storage. Unauthorized access to Kerberos credentials can lead to privilege escalation, allowing attackers to gain administrative control over EMR clusters. This can result in unauthorized data access, data manipulation, or disruption of data processing workflows, impacting confidentiality, integrity, and availability of critical business data. Organizations in sectors such as finance, telecommunications, healthcare, and government, which often process sensitive or regulated data, could face compliance violations and reputational damage if exploited. Additionally, the ability to escalate privileges within EMR clusters could be leveraged to pivot to other parts of the corporate network, increasing the overall risk exposure. The vulnerability’s exploitation requires some level of local access, which may limit remote exploitation but does not eliminate risk in environments where multiple users share access or where attackers have compromised lower-privileged accounts. Given the critical CVSS score and the nature of the vulnerability, European organizations must prioritize remediation to prevent potential breaches and operational disruptions.

1. Upgrade Amazon EMR clusters to version 7.5 or higher, where the vulnerability is fully addressed. 2. For clusters running versions 6.10 through 7.4, immediately apply the bootstrap scripts and RPM fixes provided by Amazon to remediate the insecure storage of Kerberos credentials. 3. Restrict access to the /tmp/ directory on EMR nodes by implementing stricter file system permissions or mounting /tmp/ with the 'noexec' and 'nosuid' options where feasible. 4. Implement strict user access controls and monitoring to limit the number of users with access to EMR cluster nodes, reducing the risk of unauthorized local access. 5. Employ continuous monitoring and auditing of EMR cluster logs and file system access to detect suspicious activities related to keytab file access or privilege escalation attempts. 6. Consider isolating EMR clusters in dedicated network segments with limited user access to minimize lateral movement opportunities. 7. Educate administrators and users about the risks of storing sensitive credentials in accessible locations and enforce secure credential management best practices. 8. Regularly review and update security configurations and patches for all EMR components to maintain a hardened environment.