logo_clicknbuy.png

CVE-2025-9039 – Amazon ECS Agent Cross-Site Access Vulnerability

The following table lists the changes that have been made to the
CVE-2025-9039 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.

  • New CVE Received
    by ff89ba41-3aa1-4d27-914a-91399e9639e5

    Aug. 14, 2025

    Action Type Old Value New Value
    Added Description We identified an issue in the Amazon ECS agent where, under certain conditions, an introspection server could be accessed off-host by another instance if the instances are in the same security group or if their security groups allow incoming connections that include the port where the server is hosted. This issue does not affect instances where the option to allow off-host access to the introspection server is set to ‘false’.

    This issue has been addressed in ECS agent version 1.97.1. We recommend upgrading to the latest version and ensuring any forked or derivative code is patched to incorporate the new fixes.

    If customers cannot update to the latest AMI, they can modify the Amazon EC2 security groups to restrict incoming access to the introspection server port (51678).
    Added CVSS V4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
    Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
    Added CWE CWE-277
    Added Reference https://aws.amazon.com/security/security-bulletins/AWS-2025-018/
    Added Reference https://github.com/aws/amazon-ecs-agent/releases/tag/v1.97.1
    Added Reference https://github.com/aws/amazon-ecs-agent/security/advisories/GHSA-wm7x-ww72-r77q
Share the Post:

Related Posts