Teleport, an open-source platform for secure access to infrastructure, issued a warning on Friday about a critical-severity vulnerability that could allow remote attackers to bypass standard authentication controls.
Key Details
• Vulnerability Identifier: CVE-2025-49825
• Severity: Critical (CVSS score: 9.8)
• Impact: Remote attackers can bypass SSH authentication, potentially gaining unauthorized access to Teleport-managed systems.
• Affected Versions: Teleport Community Edition versions up to 17.5.1, as well as older supported versions (see table below for specifics).
| Affected Major Versions | Patched Version |
|---|---|
| 17.x | 17.5.2 |
| 16.x | 16.5.12 |
| 15.x | 15.5.3 |
| 14.x | 14.4.1 |
| 13.x | 13.4.27 |
| 12.x | 12.4.35 |
Exploitation and Mitigation
The flaw can be exploited remotely to bypass authentication on systems using Teleport SSH agents, OpenSSH-integrated deployments, and Teleport Git proxy setups. There is currently no public proof-of-concept exploit and no evidence of exploitation in the wild as of the announcement.
Teleport has automatically applied patches for cloud customers, but self-hosted Teleport agents must be updated manually as soon as possible. All nodes must be upgraded to the patched version that matches the major version of your cluster.
For Kubernetes deployments, Teleport recommends using the teleport-kube-agent updater rather than teleport-update.
Additional Notes
Note that Teleport Cloud infrastructure and CI/CD build/test/release infrastructure are not affected. For the patched versions listed above, Teleport has temporarily lifted some Community Edition license restrictions if the patch is applied within 30 days of release. A full technical disclosure and open-source patch will be published after an embargo period ending June 30, 2025, to give users time to upgrade.
About Teleport
Teleport is an open-source infrastructure access management platform designed to provide secure connectivity, authentication, and access control for servers, cloud applications, and databases. It supports multiple protocols, including SSH, RDP, and HTTPS, and is widely used to manage access to Kubernetes clusters and various databases.
Key Features
• Unified Access Point: Teleport acts as a single proxy for all supported network protocols, streamlining access management for IT teams.
• Zero Trust Security: Implements fine-grained, ephemeral authorization for both human and machine identities, eliminating static credentials and enhancing security.
• Automatic Updates & Vulnerability Testing: Recent versions include features for automatic vulnerability detection, self-updating, and patching across infrastructure, reducing manual maintenance.
• Integration Capabilities: Supports integration with identity providers like Okta and cloud platforms such as AWS for seamless application and database access.
• Hosted and Self-Managed Options: Offers both cloud-hosted services and self-managed deployments to suit different organizational needs.
