Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…
EPSS 0.3%top 77%

CVE-2025-8904: CWE-257: Storing Passwords in a Recoverable Format in Amazon EMR

0
Critical
VulnerabilityCVE-2025-8904cvecve-2025-8904cwe-257
Published: 08/13/2025 (08/13/2025, 17:06:29 UTC)
Source: CVE Database V5
Vendor/Project: Amazon
Product: EMR

Description

CVE-2025-8904 is a critical vulnerability in Amazon EMR versions 6.10 through 7.4 where the Secret Agent component stores Kerberos credentials in a recoverable format within a keytab file located in the /tmp/ directory. This insecure storage allows users with access to the /tmp/ directory and another account on the system to potentially decrypt the keys and escalate privileges. The vulnerability has a CVSS 4.0 base score of 9, indicating high severity. Users are advised to upgrade to Amazon EMR version 7.5 or higher or apply the vendor-provided bootstrap script and RPM fixes for affected versions to remediate this issue.

CVSS v4.0

Score 9.0critical

Attack Vector
Network
Attack Complexity
High
Attack Requirements
Present
Privileges Required
Low
User Interaction
None
Vuln. Confidentiality
High
Vuln. Integrity
High
Vuln. Availability
High
Subsq. Confidentiality
High
Subsq. Integrity
High
Subsq. Availability
High
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Affected software

Affected versions
=6.10

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 06/05/2026, 19:28:39 UTC

Technical Analysis

Amazon EMR versions 6.10 through 7.4 contain a vulnerability (CVE-2025-8904) where the Secret Agent component stores Kerberos credentials in a keytab file in the /tmp/ directory in a recoverable format. This improper storage of sensitive credentials (CWE-257) can allow local users with access to /tmp/ and another account to decrypt the keys, potentially leading to privilege escalation. The vulnerability is rated critical with a CVSS 4.0 score of 9. The vendor recommends upgrading to version 7.5 or later or applying provided bootstrap scripts and RPM fixes to mitigate the issue.

Potential Impact

The vulnerability allows unauthorized users with access to the /tmp/ directory and another account on the same system to decrypt stored Kerberos credentials, which can lead to privilege escalation. This compromises the confidentiality and integrity of authentication credentials within affected Amazon EMR versions, potentially enabling attackers to gain elevated access.

Mitigation Recommendations

A fix is available. Users should upgrade Amazon EMR to version 7.5 or higher. Alternatively, for affected versions, users should apply the vendor-provided bootstrap script and RPM fixes as recommended by Amazon. These actions address the insecure storage of Kerberos credentials and mitigate the risk of privilege escalation.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.1
Assigner Short Name
AMZN
Date Reserved
2025-08-12T19:43:46.286Z
Cvss Version
4.0
State
PUBLISHED

Threat ID: 689cc8bead5a09ad004f5c94

Added to database: 08/13/2025, 17:17:50 UTC

Last enriched: 06/05/2026, 19:28:39 UTC

Last updated: 07/03/2026, 08:51:23 UTC

Views: 1593

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses