cbcvebase.
CVE-2025-3576
published 2025-04-15

CVE-2025-3576: A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum…

PriorityP433medium5.9CVSS 3.1
AVNACHPRNUINSUCNIHAN
EPSS
0.28%
19.3th percentile
A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.

Affected

8 ranges
VendorProductVersion rangeFixed in
debiankrb5< krb5 1.20.1-2+deb12u4 (bookworm)krb5 1.20.1-2+deb12u4 (bookworm)
mitkrb5>= 0 < 1.18.3-6+deb11u71.18.3-6+deb11u7
mitkrb5>= 0 < 1.20.1-2+deb12u41.20.1-2+deb12u4
mitkrb5>= 0 < 1.21.2-11.21.2-1
mitkrb5>= 0 < 1.21.2-11.21.2-1
msrcazl3_krb5_1.21.3-2_on_azure_linux_3.0
msrccbl2_krb5_1.19.4-3_on_cbl_mariner_2.0
msrccbl2_krb5_1.19.4-4_on_cbl_mariner_2.0

CVSS provenance

nvdv3.15.9MEDIUMCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
osv5.9MEDIUM
vendor_debian5.9MEDIUM
vendor_msrc5.9MEDIUM
vendor_oracle5.9MEDIUM
vendor_redhat5.9MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.