Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-45625 -- CVSS 9.9 Vulnerability Briefing

CVE-2026-45625 | CVSS 9.9 (Critical) | Exploit: No known exploit

What Is It

CVE-2026-45625 is an authentication or access control vulnerability in Arcane, an open-source web interface for managing Docker containers, images, networks, and volumes, affecting versions prior to 1.19.0 through its huma-based REST API endpoints under /api/customize/git-repositories and related paths.

Technical Detail

The flaw resides in nine REST API endpoints exposed by Arcane's huma framework, which appear to lack adequate authentication or authorization controls, permitting unauthenticated or unauthorized callers to interact with sensitive Docker management functions. An attacker with network access to the Arcane interface could invoke these endpoints to manipulate git repository configurations or related resources, potentially leading to unauthorized code execution, container escape, or full host compromise depending on the Docker environment's privilege configuration. The CVSS score of 9.9 indicates near-maximum severity, consistent with unauthenticated remote code execution or equivalent impact against a privileged container management surface.

Exploitation Status

No known exploit has been publicly documented as of June 05, 2026. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog, and no proof-of-concept code has been confirmed in public repositories. The absence of a known exploit does not reduce urgency given the critical CVSS score and the nature of the exposed attack surface.

Who Is Targeting This

Confirmed (ATTAX-verified): Equation (origin unspecified, motivation unknown), FIN13 (origin unspecified, motivation unknown), and APT28 (Russia, nation-state motivation) have all been attributed with high confidence. Reported (research-inferred): EQUATION (medium confidence, motivation unknown) and VELVETANT (medium confidence, motivation unknown) have been identified through research-level attribution but are not yet confirmed. The overlap between confirmed Equation and reported EQUATION entries may reflect the same actor cluster referenced under different naming conventions across intelligence sources.

What To Do

Upgrade Arcane to version 1.19.0 or later immediately, as this is the vendor-confirmed remediated release. If upgrading is not immediately possible, restrict network access to the Arcane management interface using firewall rules or network segmentation so that only trusted administrative hosts can reach the API endpoints. Avoid exposing Arcane directly to the internet or untrusted internal network segments. Monitor for anomalous API calls to /api/customize/git-repositories and related paths, particularly from unexpected source addresses or at unusual times. Given the confirmed interest from APT28 and FIN13, organizations running Docker infrastructure in financial, government, or critical infrastructure environments should treat this as a priority patch regardless of current exploit availability.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →