CVE-2025-14551 Overview
CVE-2025-14551 is an information disclosure vulnerability in Ubuntu Subiquity version 24.04.4 that could leak sensitive user credentials during crash reporting. When an installation failure occurs and a user submits a bug report to Launchpad, Subiquity could inadvertently include certain user credentials, such as the user's plaintext Wi-Fi password, in the attached logs.
Critical Impact
Sensitive user credentials including plaintext Wi-Fi passwords may be exposed through crash report logs submitted to Launchpad, potentially compromising user privacy and network security.
Affected Products
- Ubuntu Subiquity version 24.04.4
Discovery Timeline
- 2026-04-09 - CVE CVE-2025-14551 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2025-14551
Vulnerability Analysis
This vulnerability falls under CWE-1258 (Exposure of Sensitive System Information Due to Uncleared Debug Information). The core issue lies in improper handling of sensitive data during the crash reporting workflow. When Subiquity encounters an installation failure, it collects diagnostic information to help developers understand and resolve the issue. However, the log collection mechanism fails to properly sanitize or redact sensitive user-provided configuration data before including it in bug reports.
The impact primarily affects user privacy, as credentials submitted with crash reports become accessible to developers and potentially other parties with access to the Launchpad bug tracking system. While the attack vector is network-based, exploitation requires specific conditions: the user must experience an installation failure and then voluntarily submit a crash report.
Root Cause
The root cause of this vulnerability is insufficient data sanitization in Subiquity's crash reporting functionality. The log collection process captures configuration data including Wi-Fi credentials without implementing proper redaction mechanisms. This results in sensitive information being exposed through debug information that should have been cleared or masked before transmission.
Attack Vector
The attack vector is network-based but requires user interaction. An attacker cannot directly trigger this vulnerability; instead, it occurs through the following scenario:
- A user begins an Ubuntu installation using Subiquity version 24.04.4
- During installation, the user configures Wi-Fi connectivity, entering their network password
- The installation encounters a failure
- The user chooses to submit a bug report to Launchpad
- Subiquity includes sensitive credentials in the attached logs
- Anyone with access to the bug report can view the plaintext credentials
The vulnerability manifests in the crash reporting workflow where log files containing Wi-Fi configuration data are attached to bug reports without proper sanitization. See GitHub Pull Request #2357 and GitHub Pull Request #2358 for technical details on the fix implementation.
Detection Methods for CVE-2025-14551
Indicators of Compromise
- Review previously submitted crash reports on Launchpad for exposed Wi-Fi credentials
- Check Subiquity log files for plaintext password entries in Wi-Fi configuration sections
- Audit any bug reports submitted after failed installations using affected Subiquity versions
Detection Strategies
- Monitor for Subiquity version 24.04.4 deployments in your environment
- Implement network traffic analysis to detect crash report submissions containing credential patterns
- Review organizational policies around crash report submissions during OS installations
Monitoring Recommendations
- Establish alerts for Ubuntu installations using vulnerable Subiquity versions
- Monitor Launchpad for any organization-related bug reports that may contain sensitive data
- Implement endpoint detection to identify systems running the affected version
How to Mitigate CVE-2025-14551
Immediate Actions Required
- Update Ubuntu Subiquity to a patched version that addresses the credential leakage issue
- Advise users to avoid submitting crash reports when using the vulnerable version
- Review and request removal of any previously submitted crash reports that may contain sensitive credentials
- Change Wi-Fi passwords that may have been exposed through crash reports
Patch Information
Canonical has addressed this vulnerability through code changes documented in GitHub Pull Request #2357 and GitHub Pull Request #2358. Users should update to the latest version of Subiquity that includes these fixes.
Workarounds
- Do not submit crash reports when installation failures occur on Subiquity version 24.04.4
- If a crash report must be submitted, manually review and redact sensitive information from log files before submission
- Consider using wired network connections during installation to avoid Wi-Fi credential entry
- If credentials were potentially exposed, change the affected Wi-Fi network password immediately
# Check Subiquity version
snap info subiquity
# Update to latest patched version
sudo snap refresh subiquity
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
