Skip to main content

CVE-2025-49825 for Cloud Customers

Evan Freed
  • Updated

Teleport security engineers have identified a critical vulnerability and released new versions of Teleport (17.5.2, 16.5.12, 15.5.3, 14.4.1, 13.4.27, and 12.4.35).

For Cloud customers, your control plane version has been updated.  If you have agents enrolled in Managed Updates v2, they were automatically updated to the patched version during your chosen maintenance window on 06/09/2025.

Your Action

If agents are not automatically managed, for full mitigation, we require you to update Teleport agents running on your infrastructure.  All nodes need to be upgraded to the patched version of teleport that matches the major version of your cluster.

Updating Agents

If you still need to update agents, the easiest way to accomplish this is to fully enroll in Managed Updates v2.

First, find agents that do not support Managed Updates v2:

# v14 agents
tctl inventory ls --older-than=v14.4.0

# v15 agents
tctl inventory ls --older-than=v15.5.0 --newer-than=v14.99.99

# v16 agents
tctl inventory ls --older-than=v16.5.0 --newer-than=v15.99.9

# v17 agents
tctl inventory ls --older-than=v17.4.0 --newer-than=v16.99.99

Once identified, upgrade those agents to the latest patch release matching the cluster version. You may use apt or yum to upgrade (if applicable).  Then enroll all agents by running:

sudo teleport-update enable

After completion, apt and yum are no longer used.  It's worth noting, you can apply this command anytime to update immediately, without waiting for your next maintenance window.

FAQ

Q: My agent was locked. What do I do?

A: If your agent was automatically locked, it was running a vulnerable version of the software. Remove the lock with tctl and then update the agent using the upgrade steps above.

Using UI

Note: Your user must have read/list/delete permissions on locks.

  1. Open Identity Governance -> Session & Identity Locks
  2. Verify hostname in message is the agent to unlock.
  3. Delete the lock (trash can icon).
  4. Upgrade the agent!

Using CLI

# Get Server ID (lookup by hostname)
tctl inventory ls

# [Option 1] Get Lock name (.spec.target.server_id) 
tctl get locks 
# [Option 2] Get Lock name (with yq)
tctl get locks | yq '. | select(.spec.target.server_id == "XXXXXXX-XXXX-XXXX-XXXX-XXXXXXX") |.metadata.name'

# Unlock
tctl rm locks/YYYYYYY-YYYY-YYYY-YYYYYYYY

# Upgrade!

Q: I see a banner that vulnerable agents have been detected, but I have recently upgraded. Am I missing an agent?

A: We are periodically updating this message.  If you have recently upgraded, validate using the tctl inventory commands.  If you need to remove this banner to reduce confusion for other users, you may use tctl alerts ack --ttl 48h to prevent it from being displayed to other users for a period of time

Q: I'm running Managed Updates v1, am I covered?

A: Managed Updates v1 updater is still fully functional. You can keep using the V1 managed updater, as long as it’s functional and your agent is patched.

Q: What if I run my agents in Kubernetes?

A: Kubernetes agents should be configured with the teleport-kube-agent updater instead of teleport-update. This works with both Managed Updates V1 and Managed Updates V2. Unpatched Teleport Kubernetes agents may be vulnerable if they provide SSH access via Teleport ssh_service.
 

 

Related articles

Comments

0 comments

Article is closed for comments.