Initiatieven voor
Als nationale autoriteit voor cyberveiligheid heeft het CCB verschillende initiatieven ontwikkeld voor specifieke doelgroepen die hier worden gepresenteerd.
Warning: Cloud Infrastructure at Risk via 5 Critical Fluent Bit RCE Vulnerabilities, Patch Immediately!
Image
Gepubliceerd : 26/11/2025
- Last update: 26/11/2025
- Affected software: Fluent Bit
- Type: Remote Code Execution
- CVE/CVSS
→ CVE-2025-12972: CVSS 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
→ CVE-2025-12970: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
→ CVE-2025-12978: CVSS 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L)
→ CVE-2025-12977: CVSS 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
→ CVE-2025-12969: CVSS 6.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Sources
Oligo Research article - https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover
NVD information for CVE-2025-12969 - https://nvd.nist.gov/vuln/detail/CVE-2025-12969
NVD information for CVE-2025-12977 - https://nvd.nist.gov/vuln/detail/CVE-2025-12977
NVD information for CVE-2025-12978 - https://nvd.nist.gov/vuln/detail/CVE-2025-12978
NVD information for CVE-2025-12970 - https://nvd.nist.gov/vuln/detail/CVE-2025-12970
NVD information for CVE-2025-12972 - https://nvd.nist.gov/vuln/detail/CVE-2025-12972
Risks
In November 2025, researchers at Oligo together with Amazon AWS disclosed five vulnerabilities in Fluent Bit which could be chained together to achieve remote code execution. Versions of Fluent Bit released since 7 October 2025 are not vulnerable.
Fluent Bit is an open-source tool for collecting, processing, and forwarding logs. This component is massively used in cloud infrastructure; Fluent Bit is embedded in containers and deployed more than 15 billion times. It runs across all major cloud providers and across divers sectors including banks.
While there is no indication of active exploitation at this time (cut-off date: 26 November 2025), it is likely that threat actors would show interest in ways to gain deeper access to Cloud and Kubernetes infrastructure for further compromise, to disrupt cloud services or otherwise tamper with data.
Taken together, the impact of the vulnerability chaining is high for confidentiality, integrity, and availability.
Description
The five vulnerabilities of this chain to achieve remote code execution are:
- CVE-2025-12978 is a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behaviour to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding, and routing manipulation.
- CVE-2025-12977 is a vulnerability in Fluent Bit’s in_http, in_splunk, and in_elasticsearch input plugins which fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, affecting data integrity and log routing.
- CVE-2025-12972 is a flaw in the way Fluent Bit does not properly sanitise tag values when deriving output file names. This flaw allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.
- CVE-2025-12970 is a vulnerability in the extract_name function in Fluent Bit’s in_docker input plugin that copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution.
- CVE-2025-12969 is an issue in Fluent Bit in_forward input plugin which does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
In addition to updating to the most recent Fluent Bit release, the following best practices could be used for mitigation:
- Avoid using dynamic tags for routing. Instead, use static, predefined tags in configurations to eliminate untrusted input influencing routing or file naming.
- Lock down output paths and destinations. For outputs like file, explicitly set a fixed Path or File parameter to prevent tag-based path expansion or traversal.
- Enforce read-only configuration mounts. Mount /fluent-bit/etc/ and configuration files as read-only to prevent runtime tampering or injection of unsafe options.
- Use least-privilege runtime settings. Run Fluent Bit as non-root users and restrict filesystem access to only necessary directories.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.