CVE-2025-8904 is a critical vulnerability affecting Amazon EMR (Elastic MapReduce) versions 6.10 through 7.4, related to the improper storage of Kerberos credentials by the Amazon EMR Secret Agent. Specifically, the Secret Agent creates a keytab file containing Kerberos credentials and stores it in the /tmp/ directory, a location typically accessible by other users on the same system. Because the keytab file is stored in a recoverable format, an attacker with access to the /tmp/ directory and a secondary account on the system can potentially decrypt these credentials. This decryption enables privilege escalation, allowing the attacker to impersonate higher-privileged users or services within the Kerberos authentication framework. The vulnerability is classified under CWE-257, which concerns storing passwords or credentials in a recoverable format, thereby increasing the risk of credential compromise. The CVSS 4.0 score is 9.0 (critical), reflecting the high impact on confidentiality, integrity, and availability, combined with the network attack vector and the requirement for some privileges and authentication. The vulnerability does not require user interaction but does require a low level of privileges (a secondary account) on the system. Amazon has advised upgrading to EMR version 7.5 or higher, where this issue is resolved. For versions between 6.10 and 7.4, a bootstrap script and RPM files with a fix are recommended to mitigate the vulnerability. No known exploits are currently reported in the wild, but the severity and nature of the vulnerability make it a significant risk for affected environments.

For European organizations using Amazon EMR, this vulnerability poses a significant risk of unauthorized privilege escalation within their big data processing environments. Since EMR is often used to process sensitive data, including personal data protected under GDPR, compromise of Kerberos credentials could lead to unauthorized data access, data exfiltration, or manipulation of data processing workflows. The ability to escalate privileges could also allow attackers to move laterally within the cloud environment, potentially affecting other services and increasing the attack surface. This could result in severe confidentiality breaches, integrity violations, and availability disruptions. Given the critical nature of the vulnerability and the widespread use of Amazon EMR in sectors such as finance, healthcare, and government across Europe, the impact could extend to regulatory non-compliance, financial losses, and reputational damage. The vulnerability's exploitation could also undermine trust in cloud-based big data solutions, which are increasingly integral to European digital transformation initiatives.

European organizations should immediately assess their Amazon EMR deployments to identify affected versions (6.10 through 7.4). The primary mitigation is to upgrade all EMR clusters to version 7.5 or higher, where the vulnerability is fixed. For environments where immediate upgrade is not feasible, organizations should apply the provided bootstrap script and RPM fixes from Amazon to remediate the issue. Additionally, organizations should restrict access to the /tmp/ directory on EMR nodes by implementing strict file system permissions and monitoring access logs for unusual activity. Employing strong access controls and auditing for secondary user accounts on EMR nodes can reduce the risk of exploitation. Organizations should also consider isolating EMR clusters within private subnets and leveraging IAM policies to limit user privileges. Regularly rotating Kerberos credentials and monitoring for anomalous authentication attempts can help detect potential exploitation. Finally, integrating these mitigations into the organization's incident response and vulnerability management processes will ensure timely detection and remediation of similar issues.