LiveActive security incident?Get immediate response
CVE Record

CVE-2025-12801: Nfs-utils: rpc.mountd in the nfs-utils privilege escalation

A vulnerability was recently discovered in the rpc.mountd daemon in the nfs-utils package for Linux, that allows a NFSv3 client to escalate the privileges assigned to it in the /etc/exports file at mount time. In particular, it allows the client to access any subdirectory or subtree of an exported directory, regardless of the set file permissions, and regardless of any 'root_squash' or 'all_squash' attributes that would normally be expected to apply to that client.

MediumCVSS 6.5Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2025-12801 lets an NFSv3 client receive more access than intended when mounting exports from affected Red Hat Linux systems. The main business risk is unauthorized reading of data inside exported directory trees, even where file permissions or squash settings were expected to restrict access.

Executive priority

Prioritize patching NFS servers that expose sensitive shared data or serve broad client populations. This is not a confirmed internet-wide emergency from the provided sources, but it can undermine storage access controls and confidentiality in affected environments.

Technical view

The flaw is in rpc.mountd in nfs-utils. At mount time, a low-privileged NFSv3 client can escalate export-assigned privileges and access subdirectories or subtrees of an exported directory despite permissions, root_squash, or all_squash. Red Hat rates it medium, CVSS 6.5, CWE-279.

Likely exposure

Exposure is most likely on Red Hat systems serving NFSv3 with affected nfs-utils or RHCOS packages. Listed affected products include RHEL 7, 8, 9, 10, RHEL 9 EUS, OpenShift 4.16-4.19 RHCOS, and Red Hat Ceph Storage 8. RHEL 6 status is listed as unknown.

Exploitation context

The CVSS vector indicates network access, low attack complexity, low privileges, and no user interaction. The source bundle does not indicate CISA KEV listing or active exploitation. Impact is primarily confidentiality: unauthorized access to exported directory content.

Researcher notes

Key constraints are NFSv3 client access and affected Red Hat rpc.mountd/nfs-utils versions. The bug concerns export privilege handling at mount time, not code execution. Public sources provided do not include proof-of-concept details or evidence of exploitation in the wild.

Mitigation direction

  • Apply the applicable Red Hat RHSA updates for affected nfs-utils, RHCOS, or Ceph Storage packages.
  • Review Red Hat CVE and errata pages for product-specific fixed package versions and upgrade paths.
  • Inventory NFSv3 exports and reduce access to trusted clients wherever operationally possible.
  • For RHEL 6, check Red Hat guidance because the provided status is unknown.
  • Review /etc/exports assumptions; do not rely on squash settings alone until patched.

Validation and detection

  • Identify systems running NFS services with rpc.mountd and nfs-utils installed.
  • Compare installed package versions against the affected versions and Red Hat errata.
  • Confirm whether NFSv3 exports are enabled and reachable from client networks.
  • Review /etc/exports for sensitive directories or broad client access.
  • After updating, verify packages match Red Hat fixed advisories for the relevant product stream.
Prepared
Confidence
high
Sources
12

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-279: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
description · low confidence lookup

Privilege behavior lookup

The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
description · low confidence lookup

Container behavior lookup

The affected technology mentions containers, so container-specific ATT&CK technique review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-12801 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
6.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
13Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
6.5CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N2.83.6redhat

Vulnerability scoring details

Base CVSS 3.1 score

6.5Medium
CVSS 3.1 vector shape for CVE-2025-12801Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineredhat

    Reported to Red Hat.

  2. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  3. Source timelineredhat

    Made public.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Red HatRed Hat Enterprise Linux 10nfs-utils, 1:2.8.3-0.el10_1.3affected
Red HatRed Hat Enterprise Linux 8nfs-utils, 1:2.3.3-68.el8_10affected
Red HatRed Hat Enterprise Linux 9nfs-utils, 1:2.5.4-38.el9_7.3affected
Red HatRed Hat Enterprise Linux 9nfs-utils, 1:2.5.4-38.el9_7.3affected
Red HatRed Hat Enterprise Linux 9.4 Extended Update Supportnfs-utils, 1:2.5.4-26.el9_4.3affected
Red HatRed Hat Enterprise Linux 9.6 Extended Update Supportnfs-utils, 1:2.5.4-34.el9_6.3affected
Red HatRed Hat OpenShift Container Platform 4.16rhcos, 416.94.202603231244-0affected
Red HatRed Hat OpenShift Container Platform 4.17rhcos, 417.94.202603242359-0affected
Red HatRed Hat OpenShift Container Platform 4.18rhcos, 418.94.202603181125-0affected
Red HatRed Hat OpenShift Container Platform 4.19rhcos, 4.19.9.6.202603251941-0affected
Red HatRed Hat Ceph Storage 8rhceph/rhceph-8-rhel9, 1774002867affected
Red HatRed Hat Enterprise Linux 6nfs-utilsunknown
Red HatRed Hat Enterprise Linux 6nfs-utils-libunknown
Red HatRed Hat Enterprise Linux 7nfs-utilsaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-279 · source CWE mapping

Incorrect Execution-Assigned Permissions

Incorrect Execution-Assigned Permissions represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.