CVE-2025-23015

CVE-2025-23015 is a Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra, classified under CWE-267. It affects Apache Cassandra versions through 3.0.30, 3.11.17, 4.0.15, 4.1.7, and 5.0.2. The flaw allows a user with MODIFY permission on all keyspaces to perform unsafe actions against a system resource, enabling privilege escalation to superuser within a targeted Cassandra cluster. The vulnerability has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant confidentiality, integrity, and availability impacts.

An attacker requires low privileges—specifically, MODIFY permission on all keyspaces—and can exploit this over the network with low complexity and no user interaction. Successful exploitation grants superuser privileges in the Cassandra cluster, potentially allowing full control over the database, data manipulation, or further lateral movement. Operators who have granted broad MODIFY permissions across all keyspaces are particularly at risk and should audit access controls for potential breaches.

Apache advisories recommend upgrading to remediated versions: 3.0.31, 3.11.18, 4.0.16, 4.1.8, or 5.0.3, which address the issue. Additional guidance is available in the Apache security announcement and related oss-security mailing list posts, as well as vendor-specific advisories like NetApp's NTAP-20250214-0006.