CVE-2025-8904: CWE-257: Storing Passwords in a Recoverable Format in Amazon EMR
CVE-2025-8904 is a critical vulnerability in Amazon EMR versions 6.10 through 7.4 where the Secret Agent component stores Kerberos credentials in a recoverable format within a keytab file located in the /tmp/ directory. This insecure storage allows users with access to the /tmp/ directory and another account on the system to potentially decrypt the keys and escalate privileges. The vulnerability has a CVSS 4.0 base score of 9, indicating high severity. Users are advised to upgrade to Amazon EMR version 7.5 or higher or apply the vendor-provided bootstrap script and RPM fixes for affected versions to remediate this issue.
AI Analysis
Technical Summary
Amazon EMR versions 6.10 through 7.4 contain a vulnerability (CVE-2025-8904) where the Secret Agent component stores Kerberos credentials in a keytab file in the /tmp/ directory in a recoverable format. This improper storage of sensitive credentials (CWE-257) can allow local users with access to /tmp/ and another account to decrypt the keys, potentially leading to privilege escalation. The vulnerability is rated critical with a CVSS 4.0 score of 9. The vendor recommends upgrading to version 7.5 or later or applying provided bootstrap scripts and RPM fixes to mitigate the issue.
Potential Impact
The vulnerability allows unauthorized users with access to the /tmp/ directory and another account on the same system to decrypt stored Kerberos credentials, which can lead to privilege escalation. This compromises the confidentiality and integrity of authentication credentials within affected Amazon EMR versions, potentially enabling attackers to gain elevated access.
Mitigation Recommendations
A fix is available. Users should upgrade Amazon EMR to version 7.5 or higher. Alternatively, for affected versions, users should apply the vendor-provided bootstrap script and RPM fixes as recommended by Amazon. These actions address the insecure storage of Kerberos credentials and mitigate the risk of privilege escalation.
CVE-2025-8904: CWE-257: Storing Passwords in a Recoverable Format in Amazon EMR
Description
CVE-2025-8904 is a critical vulnerability in Amazon EMR versions 6.10 through 7.4 where the Secret Agent component stores Kerberos credentials in a recoverable format within a keytab file located in the /tmp/ directory. This insecure storage allows users with access to the /tmp/ directory and another account on the system to potentially decrypt the keys and escalate privileges. The vulnerability has a CVSS 4.0 base score of 9, indicating high severity. Users are advised to upgrade to Amazon EMR version 7.5 or higher or apply the vendor-provided bootstrap script and RPM fixes for affected versions to remediate this issue.
CVSS v4.0
Score 9.0critical
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Amazon EMR versions 6.10 through 7.4 contain a vulnerability (CVE-2025-8904) where the Secret Agent component stores Kerberos credentials in a keytab file in the /tmp/ directory in a recoverable format. This improper storage of sensitive credentials (CWE-257) can allow local users with access to /tmp/ and another account to decrypt the keys, potentially leading to privilege escalation. The vulnerability is rated critical with a CVSS 4.0 score of 9. The vendor recommends upgrading to version 7.5 or later or applying provided bootstrap scripts and RPM fixes to mitigate the issue.
Potential Impact
The vulnerability allows unauthorized users with access to the /tmp/ directory and another account on the same system to decrypt stored Kerberos credentials, which can lead to privilege escalation. This compromises the confidentiality and integrity of authentication credentials within affected Amazon EMR versions, potentially enabling attackers to gain elevated access.
Mitigation Recommendations
A fix is available. Users should upgrade Amazon EMR to version 7.5 or higher. Alternatively, for affected versions, users should apply the vendor-provided bootstrap script and RPM fixes as recommended by Amazon. These actions address the insecure storage of Kerberos credentials and mitigate the risk of privilege escalation.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- AMZN
- Date Reserved
- 2025-08-12T19:43:46.286Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 689cc8bead5a09ad004f5c94
Added to database: 08/13/2025, 17:17:50 UTC
Last enriched: 06/05/2026, 19:28:39 UTC
Last updated: 07/03/2026, 08:51:23 UTC
Views: 1593
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.