CVE-2025-10360 in Puppet Enterprise
Summary
by MITRE • 09/24/2025
In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 09/24/2025
The vulnerability described in CVE-2025-10360 represents a critical security flaw in Puppet Enterprise versions 2025.4.0 and 2025.5 that compromises the confidentiality of sensitive data through improper handling of encryption keys within backup operations. This issue specifically affects organizations that have purchased Puppet Enterprise Advanced licenses and enabled the Infra Assistant feature, which provides integration with artificial intelligence services. The flaw demonstrates a fundamental misconfiguration in the backup process where encryption keys are not properly excluded from backup archives, creating a significant risk for data exposure.
The technical implementation of this vulnerability stems from the improper exclusion of encryption keys during backup procedures within the Puppet Enterprise infrastructure. When users enable the Infra Assistant feature, the system generates and stores an encryption key specifically designed to protect API credentials for AI provider accounts within the Infra Assistant database. This encryption mechanism, while intended to provide security, becomes ineffective when the key itself is included in backup files that are typically stored in accessible locations. The vulnerability manifests as a failure to implement proper backup exclusion policies for cryptographic material, which is a direct violation of standard security practices for key management and data protection.
The operational impact of this vulnerability extends beyond simple data exposure to encompass potential compromise of AI integration services and broader organizational security posture. Organizations using Puppet Enterprise Advanced with Infra Assistant feature are at risk of having their AI provider API keys exposed through backup files, which could lead to unauthorized access to AI services, potential billing fraud, or data exfiltration through compromised AI integrations. This risk is particularly concerning in environments where backup systems may be accessible to unauthorized personnel or where backup files are stored in less secure locations than the primary system. The vulnerability affects only specific configurations and license types, but for affected organizations, it creates a persistent security risk that requires immediate attention.
The remediation approach for this vulnerability involves upgrading to Puppet Enterprise version 2025.6, which includes proper exclusion mechanisms for encryption keys in backup operations. Organizations unable to upgrade immediately should follow the remediation steps outlined in the 2025.6 release notes, which typically involve manual key management procedures and backup configuration adjustments. This vulnerability aligns with CWE-312 (Sensitive Data Exposure) and represents a failure in proper key lifecycle management practices that should be addressed through comprehensive backup policies and cryptographic key management frameworks. The issue also intersects with ATT&CK technique T1531 (Account Access Removal) and T1070.004 (File Deletion) through potential unauthorized access to backup systems and the compromise of backup integrity. Organizations should implement regular security assessments of their backup configurations and ensure that cryptographic keys are properly separated from backup processes to prevent similar vulnerabilities from emerging in other systems.