CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2025-8904 - Issue with Amazon EMR Secret Agent component

highCVE-2025-8904
Bulletin ID: AWS-2025-017 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/08/13 10:00 PM PDT Description: Amazon EMR is a managed cluster platform that simplifies running big data frameworks on AWS to process and analyze vast amounts of data. We identified CVE-2025-8904, an issue in the Amazon EMR Secret Agent component. The Secret Agent component securely stores secrets and distributes secrets to other Amazon EMR components and applications. When using Amazon EMR clusters with one or more Lake Formation, Apache Ranger, runtime role, or Identity Center feature that uses this component, Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. We implemented a fix that removes /tmp/ as a staging directory for Kerberos credentials, eliminating the possibility of users accessing the keytab file. The fix is available in Amazon EMR release 7.5 and higher. Affected versions: Amazon EMR version 6.10 through 7.4

CSIRTS triage

What
An issue allows a user to potentially decrypt Kerberos credentials stored in a keytab file.
Who is affected
Users with access to the /tmp/ directory in Amazon EMR clusters using certain features.
Urgency
Remediation is urgent due to the potential for privilege escalation.
Action
Remove the /tmp/ directory keytab file as part of the fix.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch EMR Secret Agent

Get an email when a new EMR Secret Agent advisory drops — max one per day, one-click unsubscribe.

Details

Source
AWS Security Bulletins (INTL · vendor-psirt · site)
Severity
high
Published
2026-06-05
Exploitation
Not in CISA KEV at last sync

Original advisory: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-017/

Exploitation outlook

EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2025-8904coverage & exploitation statusNVD · CVE.org

More from AWS Security Bulletins