CVE-2025-13609 HIGH

CVE-2025-13609: Keylime: keylime: registrar allows identity takeover via duplicate uuid registration

Vendor Keylime Project
Product keylime
Weakness CWE-694
Published November 24, 2025
Last update March 19, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

What the vulnerability does

01Description

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

Key dates

02Disclosure timeline

November 24, 2025 CVE published
March 19, 2026 Record updated