CVE-2025-12548
published 2026-01-13CVE-2025-12548: A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH…
PriorityP184critical9CVSS 3.1
AVNACLPRLUIRSCCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
1.16%
63.3th percentile
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated WebSocket connections to TCP port 3333 on Developer Workspace containers; any connection not preceded by authentication is suspicious. ↗
- →Alert on JSON-RPC method calls arriving over WebSocket on port 3333 without a preceding authentication handshake, as this is the exploitation mechanism for arbitrary command execution. ↗
- →Treat exploitation as a lateral movement indicator: successful exploitation enables movement between workspaces and potential cluster compromise in Red Hat OpenShift DevSpaces environments. ↗
- →Watch for unexpected exfiltration of SSH keys and tokens from Developer Workspace containers, which are targeted artifacts of this vulnerability. ↗
- ·The vulnerability is only exploitable when the machine-exec service on TCP/3333 is network-accessible; environments where this port is not exposed externally have a reduced attack surface. ↗
- ·Red Hat recommends applying security best practices from the OpenShift Dev Spaces Administration Guide as a mitigation until a patch is applied. ↗
CVSS provenance
nvdv3.19.0CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
vulncheck9.0CRITICAL
vendor_redhat9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-64f4-p4m8-4j89: A flaw was found in Eclipse Che che-machine-exec
ghsa_unreviewed·2026-01-13
CVE-2025-12548 [CRITICAL] CWE-306 GHSA-64f4-p4m8-4j89: A flaw was found in Eclipse Che che-machine-exec
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.
VulnCheck
Missing Authentication for Critical Function
vulncheck·2025·CVSS 9.0
CVE-2025-12548 [CRITICAL] Missing Authentication for Critical Function
Missing Authentication for Critical Function
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.
Affected: Red Hat Red Hat OpenShift Dev Spaces (RHOSDS) 3.22
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2025-12548&date=2026-04-15
Red Hat
github.com/che-incubator/che-code: Eclipse Che — unauthenticated RCE and secret exfiltration via TCP/3333
vendor_redhat·2025-12-02·CVSS 9.0
CVE-2025-12548 [CRITICAL] CWE-306 github.com/che-incubator/che-code: Eclipse Che — unauthenticated RCE and secret exfiltration via TCP/3333
github.com/che-incubator/che-code: Eclipse Che — unauthenticated RCE and secret exfiltration via TCP/3333
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.
A flaw was found in Eclipse Che che-machine-exec. This vulnerability allows unauthenticated remote arbitrary command execution and secret exfiltration (SSH keys, tokens, etc.) from other users' Developer Workspace containers, via an unauthenticated JSON-RPC / websocket API exposed on TCP port 3333.
Mitigation: Apply the security best practices from the Red Hat OpenShift Dev Spaces Adminis
No detection rules found.
2026-01-13
Published
Exploited in the wild