Exposure in Amazon ECS Agent Allows Off-Host Introspection Server Access
CVE-2025-9039

5.3MEDIUM

Key Information:

Vendor

Amazon

Status
Ecs
Vendor
CVE Published:
14 August 2025

What is CVE-2025-9039?

A vulnerability exists in the Amazon ECS agent that allows off-host access to its introspection server under specific conditions. If instances are deployed within the same security group, or if security group settings permit incoming connections to the server's port (51678), another instance may gain unauthorized access. This risk emphasizes the importance of securing the network configuration. To mitigate this vulnerability, it is crucial to upgrade to ECS agent version 1.97.1 or modify the security groups to restrict access to the introspection server.

Affected Version(s)

ECS 0.0.3 < 1.97.1

References

https://github.com/aws/amazon-ecs-agent/releases/tag/v1.97.1
patch
https://aws.amazon.com/security/security-bulletins/AWS-20...
vendor-advisory
https://github.com/aws/amazon-ecs-agent/security/advisori...
vendor-advisory

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.