CVE-2025-8904 CRITICAL

CVE-2025-8904: Privilege escalation issue in Amazon EMR Secret Agent component

Vendor Amazon
Product EMR
Weakness CWE-257
Published August 13, 2025
Last update February 26, 2026

CVSS base score

9.0/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

01Description

Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below.

Key dates

02Disclosure timeline

August 13, 2025 CVE published
February 26, 2026 Record updated