cbcvebase.
CVE-2025-12548
published 2026-01-13

CVE-2025-12548: A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH…

PriorityP184critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.16%
63.3th percentile
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.

Detection & IOCsextracted from sources · hover to see the quote

port3333/TCP
pathlinux/http/eclipse_che_machine_exec_rce
  • Monitor for unauthenticated WebSocket connections to TCP port 3333 on Developer Workspace containers; any connection not preceded by authentication is suspicious.
  • Alert on JSON-RPC method calls arriving over WebSocket on port 3333 without a preceding authentication handshake, as this is the exploitation mechanism for arbitrary command execution.
  • Treat exploitation as a lateral movement indicator: successful exploitation enables movement between workspaces and potential cluster compromise in Red Hat OpenShift DevSpaces environments.
  • Watch for unexpected exfiltration of SSH keys and tokens from Developer Workspace containers, which are targeted artifacts of this vulnerability.
  • ·The vulnerability is only exploitable when the machine-exec service on TCP/3333 is network-accessible; environments where this port is not exposed externally have a reduced attack surface.
  • ·Red Hat recommends applying security best practices from the OpenShift Dev Spaces Administration Guide as a mitigation until a patch is applied.

CVSS provenance

nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
vendor_redhat9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.