CVE-2025-6723 | THREATINT

Description

Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23.

PUBLISHED Reserved 2025-06-26 | Published 2026-01-30 | Updated 2026-01-30 | Assigner ProgressSoftware

MEDIUM: 5.8CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-269 Improper Privilege Management

CWE-287 Improper Authentication

Product status

Default status

affected

Any version

affected

Credits

Yuval Gordon, Akamai reporter

Maayan Shaul, Microsoft reporter

References

docs.chef.io/inspec/

cve.org (CVE-2025-6723)

nvd.nist.gov (CVE-2025-6723)

Download JSON