CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2025-8904

highcovered by 1 sourcefirst seen 2026-06-05
Bulletin ID: AWS-2025-017 Scope: AWS Content Type: Important (requires attention) Publication Date: 2025/08/13 10:00 PM PDT Description: Amazon EMR is a managed cluster platform that simplifies running big data frameworks on AWS to process and analyze vast amounts of data. We identified CVE-2025-8904, an issue in the Amazon EMR Secret Agent component. The Secret Agent component securely stores secrets and distributes secrets to other Amazon EMR components and applications. When using Amazon EMR clusters with one or more Lake Formation, Apache Ranger, runtime role, or Identity Center feature that uses this component, Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. We implemented a fix that removes /tmp/ as a staging directory for Kerberos credentials, eliminating the possibility of users accessing the keytab file. The fix is available in Amazon EMR release 7.5 and higher. Affected versions: Amazon EMR version 6.10 through 7.4

CSIRTS triage

What
An issue allows a user to potentially decrypt Kerberos credentials stored in a keytab file.
Who is affected
Users with access to the /tmp/ directory in Amazon EMR clusters using certain features.
Urgency
Remediation is urgent due to the potential for privilege escalation.
Action
Remove the /tmp/ directory keytab file as part of the fix.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2025-8904

Get an email if CVE-2025-8904 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2025-8904

CVE.org record

Embed the live status

CVE-2025-8904 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2025-8904 status](https://www.csirts.com/badge/CVE-2025-8904)](https://www.csirts.com/cve/CVE-2025-8904)