Introduction
Attackers with legitimate access to Red Hat Satellite can escalate privileges and execute arbitrary commands on the underlying operating system if edit_settings permissions are mismanaged. This flaw in the Foreman component directly impacts the provisioning and configuration backbone of many enterprise Linux environments.
Red Hat Satellite is a widely deployed infrastructure management solution for Red Hat Enterprise Linux, used by large enterprises to automate system provisioning, configuration, and lifecycle management. The Foreman component is the upstream open-source project at the core of Satellite's provisioning engine. Red Hat's products are foundational to global enterprise IT, with millions of systems managed worldwide.
Technical Information
CVE-2025-10622 is a command injection vulnerability in Red Hat Satellite's Foreman component. The vulnerability exists in the handling of the ct_location and fcct_location parameters, which are used to define the command locations for CoreOS and Fedora CoreOS template transpilation. These parameters are accessible to users with the edit_settings permission in the Foreman administrative interface.
The root cause is insufficient server-side validation of these parameters. The application fails to enforce strict whitelisting or proper sanitization, allowing attackers to inject shell metacharacters or command substitution syntax. When the provisioning template is rendered and the affected parameter is used, the injected command executes with the privileges of the Foreman process (typically the foreman system user).
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-602 (Client-Side Enforcement of Server-Side Security). The issue is similar to the previously disclosed CVE-2022-3874, which affected the ct_command and fcct_command parameters in earlier Foreman versions.
No public code snippets are available for the vulnerable implementation, but public advisories confirm that exploitation involves supplying malicious values to the ct_location or fcct_location settings and triggering template rendering.
Affected Systems and Versions
- Red Hat Satellite 6.18 x86_64
- Red Hat Satellite Capsule 6.18 x86_64
Only systems where users have edit_settings permission are vulnerable. The issue specifically affects the ct_location and fcct_location parameters in the Foreman component.
Vendor Security History
Red Hat has a strong record of issuing timely advisories and patches for security issues. However, the Foreman component has experienced similar command injection vulnerabilities in the past, notably CVE-2022-3874, which affected the ct_command and fcct_command parameters. The recurrence of this vulnerability class suggests deeper architectural challenges in input validation and command execution within Foreman. Red Hat's Product Security team typically responds quickly to reported issues and coordinates public disclosure and patch release.
