CVE-2025-0928
published 2025-07-08CVE-2025-0928: In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller…
PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.57%
42.8th percentile
In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | juju | < 2.9.52 | 2.9.52 |
| canonical | juju | >= 2.0.0 < 2.9.52 | 2.9.52 |
| canonical | juju | >= 3.0 < 3.6.8 | 3.6.8 |
| canonical | juju | >= 3.0.0 < 3.6.8 | 3.6.8 |
| github.com | juju_juju | >= 0 < 0.0.0-20250619215741-4034aa13c7cf | 0.0.0-20250619215741-4034aa13c7cf |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju
osv·2025-07-28
CVE-2025-0928 Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju
Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju
Juju allows arbitrary executable uploads via authenticated endpoint without authorization in github.com/juju/juju.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/juju/juju before v0.0.0-20250619215741-4034aa13c7cf.
OSV
Juju allows arbitrary executable uploads via authenticated endpoint without authorization
osv·2025-07-09
CVE-2025-0928 [HIGH] Juju allows arbitrary executable uploads via authenticated endpoint without authorization
Juju allows arbitrary executable uploads via authenticated endpoint without authorization
### Summary
You can affect the agent binaries used in a Juju controller and the code that is run in the binaries by simply having a user account on a controller. You aren't required to have a model or any permissions. This just requires a user account in the controller database.
### Details
Because of the way Juju upload tools code works in the controller it only checks that the user uploading agent binaries is authenticated and is a user tag. No more checks are performed and it allows that user to upload binaries to any model they like (as long as they know the model uuid) or upload binaries to the controller (attacker doesn't need to know any uuid's for controller or controller model).
Once the p
GHSA
Juju allows arbitrary executable uploads via authenticated endpoint without authorization
ghsa·2025-07-09
CVE-2025-0928 [HIGH] CWE-285 Juju allows arbitrary executable uploads via authenticated endpoint without authorization
Juju allows arbitrary executable uploads via authenticated endpoint without authorization
### Summary
You can affect the agent binaries used in a Juju controller and the code that is run in the binaries by simply having a user account on a controller. You aren't required to have a model or any permissions. This just requires a user account in the controller database.
### Details
Because of the way Juju upload tools code works in the controller it only checks that the user uploading agent binaries is authenticated and is a user tag. No more checks are performed and it allows that user to upload binaries to any model they like (as long as they know the model uuid) or upload binaries to the controller (attacker doesn't need to know any uuid's for controller or controller model).
Once the p
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-07-08
Published