CVE-2025-10360
MEDIUM EPSS 7.4%
Published Sep 24, 20259mo ago · Modified Jun 17, 20262w ago
6.9 CVSS 4.0
Published Sep 24, 2025 9mo ago
Last Modified Jun 17, 2026 2w ago
Description
In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X Attack Vector Network
Attack Complexity Low
Privileges Required High
User Interaction None
Scope X
Threat Intelligence
EPSS Exploit Probability
7.4% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-522
References 1
- portal.perforce.com https://portal.perforce.com/s/cve/a91PA000001Smp7YAC/insufficiently-protected-credentials-in-puppet-enterprise-20254-and-20255
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.