CVE-2025-13609 — Keylime allows users to register new agents by recycling existing UUIDs when usi

Description

A vulnerability has been identified in keylime where an attacker can exploit this flaw by registering a new agent using a different Trusted Platform Module (TPM) device but claiming an existing agent's unique identifier (UUID). This action overwrites the legitimate agent's identity, enabling the attacker to impersonate the compromised agent and potentially bypass security controls.

How to fix CVE-2025-13609

To remediate CVE-2025-13609, upgrade the affected package to a fixed version below.

—upgrade to 7.13.0 or later
—no fix listed

Is CVE-2025-13609 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 7.13.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:H/A:L

References (16)

ADVISORYgithub.com/advisories/GHSA-xh5w-g8gq-r3v9
ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-13609
PATCHgithub.com/keylime/keylime
WEBaccess.redhat.com/errata/RHSA-2025:23201
WEBaccess.redhat.com