Home > Vulnerability Database > CVE-2025-0928

Mend.io Vulnerability Database

CVE-2025-0928

Good to know:

Date: July 8, 2025

In Juju versions prior to 3.6.8 and 2.9.52, any authenticated controller user was allowed to upload arbitrary agent binaries to any model or to the controller itself, without verifying model membership or requiring explicit permissions. This enabled the distribution of poisoned binaries to new or upgraded machines, potentially resulting in remote code execution.

Severity Score

8.8

Related Resources (9)

Url: https://github.com/juju/juju/security/advisories/GHSA-4vc8-wvhw-m5gv

Url: https://github.com/juju/juju

Url: https://pkg.go.dev/vuln/GO-2025-3805

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-0928

Url: https://github.com/juju/juju/commit/4034aa13c7cf5a37427fcd032925d5d21955b096

Url: https://github.com/juju/juju/commit/b4176e6e45c2c3c817ab60b39e2d52f9a11a5ddf

Url: https://github.com/juju/juju/commit/311e374cb8d2431032c51fb3fb5c4b0aaaa7196c

Url: https://github.com/juju/juju/commit/22cdcf6b54c2f371822e1c203d4f341be6c9589e

Url: https://www.mend.io/vulnerability-database/CVE-2025-0928

Severity Score

8.8

Weakness Type (CWE)

Improper Authorization

CWE-285

Unrestricted Upload of File with Dangerous Type

CWE-434

Top Fix

Upgrade Version

Upgrade to version https://github.com/juju/juju.git - v2.9.52;https://github.com/juju/juju.git - v3.6.8

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-0928

Good to know:

Date: July 8, 2025

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?