Attackers might flood monitoring programs with false or deceptive occasions, conceal alerts within the noise, and even hijack the telemetry stream solely, Katz stated. The difficulty is now tracked as CVE-2025-12969 and awaits a severity valuation.
Virtually equally troubling are different flaws within the “tag” mechanism, which determines how the data are routed and processed. One bug (CVE-2025-12978) permits an attacker who can guess simply the primary character of the tag key to impersonate trusted tags and reroute logs or bypass filters. One other (CVE-2025-12977) permits unsanitized tag values (together with newlines, directory-traversal strings, and management characters), which might corrupt downstream parsing, allow file-system writes, or permit additional escalation.
Based on the weblog, AWS has secured all of its inner programs that depend on Fluentbit by the Fluentbit mission and launched Fluentbit model 4.1.1. AWS didn’t instantly reply to CSO’s request for remark.
File writes, container overflow, and full agent takeover
Oligo additionally disclosed a sequence of distant code execution (RCE) and path traversal vulnerabilities affecting the device. CVE-2025-12972 targets the “out_file“ output plugin. When Tag values are user-controlled, and no fastened File parameter is ready, attackers can abuse the Tag worth (e.g.,”../“) to trigger path-traversal file writes or overwrites, in the end letting them plant malicious information or achieve RCE.
“Our analysis discovered that a few of these vulnerabilities, corresponding to CVE 2025-12972, have left cloud environments susceptible for over 8 years,” Katz famous.
Within the Docker enter plugin (in-Docker), CVE-2025-12970 reveals a stack buffer overflow. If an attacker names a container with an excessively lengthy identify, the buffer overflow lets them crash the agent or execute code. Oligo warned that the flaw permits attackers to grab the logging agent, conceal their exercise, plant backdoors, and pivot additional into the system.
