CVE-2025-2515 HIGH

CVE-2025-2515: Bluechi: privilege escalation in bluechi via unrestricted cross-node systemd dependencies

Vendor Eclipse Foundation

Product BlueChi

Weakness CWE-863 · Incorrect authorization

Published December 24, 2025

Last update December 24, 2025

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Physical

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

What the vulnerability does

01Description

A vulnerability was found in BlueChi, a multi-node systemd service controller used in RHIVOS. This flaw allows a user with root privileges on a managed node (qm) to create or override systemd service unit files that affect the host node. This issue can lead to privilege escalation, unauthorized service execution, and potential system compromise.

Key dates

02Disclosure timeline

December 24, 2025 CVE published

December 24, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-2515

Related vulnerabilities

04Related CVE

CVE-2024-41964 Insufficient permission checks in the language settings in Kirby CMS CVE-2024-45081 IBM Cognos Controller incorrect authorization CVE-2026-44633 Live Helper Chat: REST API chat update accepts arbitrary chat fields across department boundaries CVE-2024-10953 data.all authenticated users can perform mutating update operations on persisted notification records CVE-2026-34364 AVideo has User Group-Based Category Access Control Bypass via Missing and Broken Group Filtering in categories.json.php