Description
Coolify is an open-source and self-hostable tool for managing servers, applications, and databases. In Coolify versions prior to and including v4.0.0-beta.434, low privileged users are able to see the private key of the root user on the Coolify instance. This allows them to ssh to the server and authenticate as root user, using the private key. As of time of publication, it is unclear if a patch is available.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-206245 (CVE-2025-64420)
Coolify Privilege Escalation via Root SSH Private Key Exposure
1. Vulnerability Assessment & Severity Evaluation
Vulnerability Overview
EUVD-2025-206245 (CVE-2025-64420) is a critical privilege escalation vulnerability in Coolify, an open-source, self-hostable infrastructure management tool. The flaw allows low-privileged users to access the root user’s SSH private key, enabling unauthorized remote code execution (RCE) with root privileges on the underlying server.
CVSS 3.1 Scoring & Severity
| Metric | Value | Explanation |
|---|---|---|
| Base Score | 10.0 (Critical) | Maximum severity due to complete system compromise. |
| Attack Vector (AV) | Network (N) | Exploitable remotely without physical access. |
| Attack Complexity (AC) | Low (L) | No specialized conditions required. |
| Privileges Required (PR) | Low (L) | Only low-privileged access needed (e.g., non-admin user). |
| User Interaction (UI) | None (N) | No user interaction required. |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component (Coolify) to the host system. |
| Confidentiality (C) | High (H) | Full disclosure of root SSH private key. |
| Integrity (I) | High (H) | Attacker can modify system files, deploy malware, or alter configurations. |
| Availability (A) | High (H) | Attacker can disrupt services, delete data, or render the system unusable. |
Risk Assessment
- Exploitability: High (low skill required, no authentication bypass needed).
- Impact: Catastrophic (full system compromise, lateral movement, persistence).
- Likelihood of Exploitation: High (publicly disclosed, no patch available at time of publication).
- Business Impact: Severe (data breaches, ransomware deployment, regulatory penalties under GDPR/NIS2).
2. Potential Attack Vectors & Exploitation Methods
Exploitation Pathway
-
Initial Access:
- Attacker gains low-privileged access to Coolify (e.g., via a compromised user account, weak credentials, or another vulnerability).
- No administrative rights are required.
-
Private Key Exposure:
- The vulnerability allows the attacker to retrieve the root user’s SSH private key from Coolify’s configuration or storage.
- The exact method of exposure (e.g., misconfigured file permissions, API endpoint leakage, or log files) is not specified in the advisory but is likely due to improper access controls or hardcoded credentials.
-
Privilege Escalation & Lateral Movement:
- Attacker uses the stolen private key to SSH into the host server as root.
- From there, they can:
- Execute arbitrary commands with full privileges.
- Exfiltrate sensitive data (databases, application secrets, backups).
- Deploy malware/ransomware (e.g., encrypting critical infrastructure).
- Establish persistence (e.g., adding SSH keys, creating backdoor users).
- Move laterally to other systems in the network.
-
Post-Exploitation:
- Covering tracks (log tampering, disabling auditing).
- Maintaining access (e.g., via cron jobs, reverse shells, or hidden users).
- Exfiltrating data (e.g., via encrypted tunnels or steganography).
Proof-of-Concept (PoC) Exploitation
While no public PoC exists at the time of analysis, a hypothetical attack could involve:
# 1. Retrieve the root SSH private key (exact method depends on Coolify's implementation)
curl -s http://coolify-instance/api/private-key | jq '.root_ssh_key' > root_key.pem
chmod 600 root_key.pem
# 2. SSH into the server as root
ssh -i root_key.pem root@coolify-host
Mitigation Bypass Considerations
- If the private key is hardcoded or stored in plaintext, rotating it may not be sufficient if the vulnerability persists.
- If the key is dynamically generated but improperly protected, patching Coolify is required.
3. Affected Systems & Software Versions
Vulnerable Versions
- Coolify ≤ v4.0.0-beta.434 (all prior versions are assumed vulnerable).
- Self-hosted instances (cloud or on-premises deployments).
- Multi-tenant environments (shared Coolify instances increase risk).
Unaffected Versions
- Coolify v4.0.0-beta.435+ (if a patch is released).
- Managed Coolify services (if the vendor has applied mitigations).
Dependencies & Impacted Components
- Underlying Host OS: Linux (most common deployment target).
- SSH Configuration: If
PermitRootLoginis enabled (common in self-hosted setups). - Coolify Plugins/Integrations: May extend attack surface (e.g., Docker, Kubernetes, database connectors).
4. Recommended Mitigation Strategies
Immediate Actions (Workarounds)
| Mitigation | Implementation | Effectiveness | Risk |
|---|---|---|---|
| Disable Root SSH Access | Set PermitRootLogin no in /etc/ssh/sshd_config and restart SSH. | High (prevents direct root login) | Low (may break legitimate automation) |
| Rotate Root SSH Keys | Generate a new key pair and replace the exposed key. | Medium (only effective if vulnerability is patched) | Medium (temporary fix) |
| Restrict Coolify User Permissions | Limit user roles to least privilege (avoid granting unnecessary access). | Medium (reduces attack surface) | Low |
| Network Segmentation | Isolate Coolify instances in a DMZ or private subnet. | High (limits lateral movement) | Medium (operational overhead) |
| Disable Coolify SSH Key Management | If possible, disable Coolify’s SSH key management feature. | High (removes attack vector) | High (may break functionality) |
Long-Term Remediation
-
Apply Vendor Patch (When Available)
- Monitor Coolify’s GitHub Security Advisories for updates.
- Test and deploy patches in a staging environment before production.
-
Implement Zero Trust Principles
- Multi-Factor Authentication (MFA) for Coolify access.
- Just-In-Time (JIT) Privilege Escalation (e.g., temporary sudo access).
- Session Monitoring & Anomaly Detection (e.g., SIEM integration).
-
Hardening Coolify Deployments
- Disable Unused Features (e.g., SSH key management if not needed).
- Enable Audit Logging (track user actions, API calls, and key access).
- Regular Vulnerability Scanning (e.g., Nessus, OpenVAS, or Trivy).
-
Infrastructure-Level Protections
- Immutable Infrastructure: Use ephemeral containers/VMs for Coolify.
- Runtime Application Self-Protection (RASP): Deploy tools like Falco or Aqua Security to detect anomalous behavior.
- Network Microsegmentation: Restrict Coolify’s access to only necessary systems.
-
Incident Response Planning
- Assume Breach: Prepare for root-level compromise (e.g., forensic readiness, backup validation).
- Key Rotation Procedures: Automate SSH key rotation post-compromise.
- Legal & Compliance: Ensure GDPR/NIS2 reporting readiness for data breaches.
5. Impact on the European Cybersecurity Landscape
Regulatory & Compliance Risks
- GDPR (General Data Protection Regulation):
- Unauthorized access to root SSH keys may lead to data breaches, triggering Article 33 (72-hour breach notification).
- Fines up to €20 million or 4% of global revenue (whichever is higher).
- NIS2 Directive (Network and Information Security):
- Critical infrastructure operators (e.g., cloud providers, financial services) using Coolify may face enhanced scrutiny.
- Mandatory incident reporting and risk management measures.
- DORA (Digital Operational Resilience Act):
- Financial entities must ensure third-party risk management (Coolify as a vendor).
Sector-Specific Risks
| Sector | Potential Impact | Mitigation Priority |
|---|---|---|
| Cloud & Hosting Providers | Mass compromise of customer instances. | Critical (immediate patching) |
| Financial Services | Unauthorized transactions, data theft. | Critical (NIS2/DORA compliance) |
| Healthcare (Hospitals, EHRs) | Patient data exposure, ransomware. | Critical (GDPR/HIPAA) |
| Government & Defense | Espionage, critical infrastructure sabotage. | Critical (classified data handling) |
| Startups & SMEs | Limited resources for incident response. | High (cost-effective hardening) |
Threat Actor Interest
- Opportunistic Attackers: Automated scans for exposed Coolify instances.
- Ransomware Groups: Initial access for double extortion (data theft + encryption).
- APT Groups: Persistent access for espionage or supply-chain attacks.
- Cryptojackers: Unauthorized resource hijacking for mining.
European CERT/CSIRT Response
- ENISA (European Union Agency for Cybersecurity):
- Likely to issue alerts to member states.
- May coordinate cross-border incident response.
- National CERTs (e.g., CERT-EU, BSI, ANSSI):
- Vulnerability bulletins for critical infrastructure.
- Threat intelligence sharing with affected organizations.
- Industry ISACs (e.g., FS-ISAC, Health-ISAC):
- Sector-specific mitigation guidance.
6. Technical Details for Security Professionals
Root Cause Analysis
The vulnerability stems from one or more of the following design flaws:
- Improper Access Controls:
- Coolify may store the root SSH private key in a world-readable file or database entry.
- Example:
/var/lib/coolify/ssh/root_keywith644permissions.
- Insecure API Endpoints:
- A low-privileged API endpoint (e.g.,
/api/ssh-keys) may expose the key. - Example: Missing authorization checks in
getRootSSHKey().
- A low-privileged API endpoint (e.g.,
- Hardcoded Credentials:
- The private key may be embedded in configuration files (e.g.,
config.yml).
- The private key may be embedded in configuration files (e.g.,
- Log Exposure:
- Debug logs or error messages may inadvertently leak the key.
Forensic Indicators of Compromise (IoCs)
| Indicator | Detection Method | Tool/Command |
|---|---|---|
| Unauthorized SSH Logins | Check /var/log/auth.log for root logins from unexpected IPs. | grep "Accepted publickey for root" /var/log/auth.log |
| Private Key Access | Audit file access to Coolify’s SSH key storage. | auditctl -w /var/lib/coolify/ssh -p r -k coolify_ssh |
| Anomalous API Calls | Review Coolify logs for /api/ssh-keys requests. | grep "/api/ssh-keys" /var/log/coolify/access.log |
| New SSH Authorized Keys | Check for unexpected keys in ~/.ssh/authorized_keys. | cat ~/.ssh/authorized_keys |
| Process Injection | Look for unusual processes (e.g., reverse shells). | ps auxf | grep -E "nc|python|bash" |
Exploitation Detection & Hunting
- SIEM Rules (e.g., Splunk, ELK, QRadar):
index=coolify_logs sourcetype=coolify_api | search uri="/api/ssh-keys" AND user_role="low_privileged" | stats count by src_ip, user, _time | where count > 1 - YARA Rule for Private Key Detection:
rule Detect_SSH_Private_Key { meta: description = "Detects SSH private keys in Coolify storage" author = "Security Team" strings: $header = "-----BEGIN OPENSSH PRIVATE KEY-----" $footer = "-----END OPENSSH PRIVATE KEY-----" condition: $header and $footer } - Network Traffic Analysis:
- Monitor for SSH connections from Coolify IPs to unexpected destinations.
- Use Zeek (Bro) or Suricata to detect SSH brute-forcing.
Reverse Engineering & Patch Analysis
If a patch is released, security teams should:
- Diff the Code:
git diff v4.0.0-beta.434 v4.0.0-beta.435 -- src/api/ssh_keys.rs - Check for:
- Added authorization checks (e.g.,
if user.role != "admin"). - Key storage encryption (e.g.,
AES-256-GCM). - Rate limiting on SSH key API endpoints.
- Added authorization checks (e.g.,
- Fuzz Testing:
- Use AFL++ or LibFuzzer to test the patched API for regressions.
Alternative Attack Surface Considerations
- Supply Chain Risks:
- If Coolify pulls dependencies from untrusted sources, attackers could backdoor the toolchain.
- Container Escape:
- If Coolify runs in Docker/Kubernetes, a root SSH key could enable container breakout.
- CI/CD Pipeline Compromise:
- Attackers could inject malicious code into Coolify’s build process.
Conclusion & Recommendations
Key Takeaways
- EUVD-2025-206245 is a critical vulnerability with maximum CVSS score (10.0) due to its low complexity, high impact, and network-based exploitability.
- Exploitation leads to full system compromise, enabling data theft, ransomware, and lateral movement.
- No patch is available at the time of publication, requiring immediate workarounds (e.g., disabling root SSH, rotating keys).
- European organizations must prioritize mitigation to comply with GDPR, NIS2, and DORA.
Action Plan for Security Teams
| Priority | Action | Owner | Timeline |
|---|---|---|---|
| Critical | Disable root SSH access (PermitRootLogin no). | SysAdmins | Immediate (24h) |
| Critical | Rotate all SSH keys on affected systems. | DevOps/Security | Immediate (48h) |
| High | Isolate Coolify instances in a DMZ. | Network Team | Within 7 days |
| High | Deploy SIEM rules to detect exploitation attempts. | SOC | Within 7 days |
| Medium | Monitor for vendor patch and test in staging. | DevOps | Ongoing |
| Medium | Conduct a post-mitigation audit (e.g., key rotation verification). | Security Team | Within 14 days |
Final Recommendations
- Assume compromise if Coolify is exposed to untrusted users.
- Monitor for unusual SSH activity (e.g., root logins from new IPs).
- Engage with ENISA/CERT-EU if operating in critical infrastructure.
- Prepare for regulatory reporting under GDPR/NIS2 if a breach occurs.
- Consider alternative tools (e.g., Portainer, Rancher, or Terraform) if Coolify remains unpatched.
For further updates, monitor:
References
Affected Products
coolify
Version: ≤ 4.0.0-beta.434
Vendors
coollabsio