AWS Updates - 2025-08-14

AWS Security Bulletins

CVE-2025-9039 - Issue with Amazon ECS agent introspection server

• Link: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-018/
• Published: 2025-08-14

Bulletin ID: AWS-2025-018
Scope: AWS
Content Type: Important (requires attention)
Publication Date: 2025/08/14 09:15 PM PDT

Description:

Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables customers to deploy, manage, and scale containerized applications. Amazon ECS container agent provides an introspection API that provides information about the overall state of the Amazon ECS agent and the container instances.

We identified CVE-2025-9039, an issue in the Amazon ECS agent. Under certain conditions, this issue could allow an introspection server to be accessed off-host by another instance if the instances are in the same security group or if their security groups allow inbound connections to the introspection server port. This issue does not affect instances where the option to allow off-host access to the introspection server is set to "false".

Affected versions:

ECS Agent versions 0.0.3 through 1.97.0