CVE-2025-12801: Nfs-utils: rpc.mountd in the nfs-utils privilege escalation
A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the
privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.
Security readout for executives and security teams
Plain-English summary
CVE-2025-12801 lets an NFSv3 client receive more access than intended when mounting exports from affected Red Hat Linux systems. The main business risk is unauthorized reading of data inside exported directory trees, even where file permissions or squash settings were expected to restrict access.
Executive priority
Prioritize patching NFS servers that expose sensitive shared data or serve broad client populations. This is not a confirmed internet-wide emergency from the provided sources, but it can undermine storage access controls and confidentiality in affected environments.
Technical view
The flaw is in rpc.mountd in nfs-utils. At mount time, a low-privileged NFSv3 client can escalate export-assigned privileges and access subdirectories or subtrees of an exported directory despite permissions, root_squash, or all_squash. Red Hat rates it medium, CVSS 6.5, CWE-279.
Likely exposure
Exposure is most likely on Red Hat systems serving NFSv3 with affected nfs-utils or RHCOS packages. Listed affected products include RHEL 7, 8, 9, 10, RHEL 9 EUS, OpenShift 4.16-4.19 RHCOS, and Red Hat Ceph Storage 8. RHEL 6 status is listed as unknown.
Exploitation context
The CVSS vector indicates network access, low attack complexity, low privileges, and no user interaction. The source bundle does not indicate CISA KEV listing or active exploitation. Impact is primarily confidentiality: unauthorized access to exported directory content.
Researcher notes
Key constraints are NFSv3 client access and affected Red Hat rpc.mountd/nfs-utils versions. The bug concerns export privilege handling at mount time, not code execution. Public sources provided do not include proof-of-concept details or evidence of exploitation in the wild.
Mitigation direction
Apply the applicable Red Hat RHSA updates for affected nfs-utils, RHCOS, or Ceph Storage packages.
Review Red Hat CVE and errata pages for product-specific fixed package versions and upgrade paths.
Inventory NFSv3 exports and reduce access to trusted clients wherever operationally possible.
For RHEL 6, check Red Hat guidance because the provided status is unknown.
Review /etc/exports assumptions; do not rely on squash settings alone until patched.
Validation and detection
Identify systems running NFS services with rpc.mountd and nfs-utils installed.
Compare installed package versions against the affected versions and Red Hat errata.
Confirm whether NFSv3 exports are enabled and reachable from client networks.
Review /etc/exports for sensitive directories or broad client access.
After updating, verify packages match Red Hat fixed advisories for the relevant product stream.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-279: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-279 · source CWE mapping
Incorrect Execution-Assigned Permissions
Incorrect Execution-Assigned Permissions represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.