A critical vulnerability, identified as CVE-2025-8868, has been discovered in multiple In Progress Chef products, specifically affecting Chef Automate versions prior to 4.13.295. This flaw allows an authenticated attacker to bypass security restrictions and access sensitive functions within the compliance service. Successful exploitation could lead to a complete compromise of the Chef Automate platform, enabling an attacker to control managed infrastructure and access sensitive data.

The vulnerability is an improper access control flaw within the compliance service of Chef Automate on the Linux x86 platform. An attacker who has already authenticated to the system, even with low privileges, can send a specially crafted request to the service to bypass authorization checks. This allows the attacker to access and execute restricted, high-privilege functionality, effectively escalating their privileges and gaining administrative control over the Chef Automate instance.

This vulnerability is rated as critical severity with a CVSS score of 9.8, indicating a high risk of compromise with low exploit complexity once an attacker has authenticated. A successful exploit could lead to a complete takeover of the organization's infrastructure-as-code environment. The potential consequences include unauthorized modification of infrastructure configurations, deployment of malicious software across all managed nodes, exfiltration of sensitive credentials and data stored within Chef, and significant disruption to business operations that rely on automated deployments and compliance scanning.

Immediate Action: Organizations must immediately upgrade affected In Progress Chef products to the latest secure version, ensuring that Chef Automate is updated to version 4.13.295 or later. Following the update, review access logs for any anomalous activity related to the compliance service to identify potential past exploitation attempts.

Proactive Monitoring: Implement enhanced monitoring of the Chef Automate platform. Specifically, look for unusual API calls to the compliance service, access to administrative functions from non-administrative accounts, and unexpected configuration changes originating from the Chef server. Monitor for outbound network connections from the Chef server to untrusted destinations.

Compensating Controls: If immediate patching is not possible, implement the following compensating controls:

• Strictly limit network access to the Chef Automate management interface and API, allowing connections only from trusted administrative subnets.
• Review all user accounts and permissions, enforcing the principle of least privilege to reduce the attack surface from a compromised low-privilege account.
• Deploy a Web Application Firewall (WAF) with rules to inspect and block malicious requests targeting the compliance service API endpoints.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability and its potential to grant attackers full control over automated infrastructure, immediate action is required. We strongly recommend that all organizations using affected versions of In Progress Chef products apply the security updates provided by the vendor without delay. If patching cannot be performed immediately, the compensating controls listed above should be implemented as a temporary measure to reduce risk. Although this CVE is not currently listed on the CISA KEV catalog, its high impact and ease of exploitation for an authenticated user make it a high-priority target for remediation.