New Linux Privilege Escalation Vulnerabilities Give Attackers Full Root Control

-

 Two newly discovered and interconnected Linux vulnerabilities — CVE-2025-6018 and CVE-2025-6019 — enable unprivileged attackers to escalate privileges to root across major Linux distributions. Affecting millions of systems globally, these flaws represent a severe and urgent security threat requiring immediate action.



 Overview of the Vulnerability Chain

The vulnerability chain, uncovered by the Qualys Threat Research Unit, hinges on two distinct but related flaws that when exploited in sequence, allow full root access:

  • CVE-2025-6018 — A misconfiguration in the Pluggable Authentication Modules (PAM) on SUSE-based systems allows SSH users to be misclassified as local “active” users.

  • CVE-2025-6019 — A flaw in the libblockdev library, accessible via the udisks daemon, grants root privileges to users in an “allow_active” context.

Together, they form a dangerous privilege escalation chain, easily exploitable on systems with default configurations.

 CVE-2025-6018: SUSE PAM Misconfiguration

This vulnerability affects openSUSE Leap 15 and SUSE Linux Enterprise 15, where the PAM stack mistakenly elevates SSH users to “allow_active” status. This designation, typically reserved for physically present users at the console, is key to gaining higher privileges via polkit policies.

Impact: Unprivileged users connecting via SSH can access functionalities meant for console users — a foundational misstep that opens the door to root escalation.

 CVE-2025-6019: Udisks + libblockdev Privilege Escalation

After gaining “allow_active” status, attackers can exploit udisks2, a default system daemon on most Linux distros (Ubuntu, Debian, Fedora, openSUSE, etc.). Udisks communicates with libblockdev to manage storage devices, and attackers can use the exposed org.freedesktop.udisks2.modify-device action to run arbitrary code as root.

Impact: Allows full root access with minimal interaction, turning a foothold into total system compromise.

 Affected Systems & CVSS Scores

CVE-2025-6018 affects openSUSE Leap 15 and SUSE Linux Enterprise 15. It allows unprivileged users to escalate their status to “allow_active” by exploiting a misconfigured PAM stack. This escalation requires local access to the system — for example, via SSH. The vulnerability has been assigned a CVSS v3.1 score of 8.8 (High) due to the elevated privileges it enables and the ease of exploitation.
CVE-2025-6019 affects the libblockdev package and the udisks daemon, both of which are included by default in major Linux distributions such as Ubuntu, Debian, Fedora, and openSUSE. It enables full root access when exploited by a user in an “allow_active” context — whether gained via CVE-2025-6018 or by physically accessing the system. This vulnerability carries a CVSS v3.1 score of 7.8 (High), reflecting its high impact despite requiring a preceding step or privileged context.

 Urgent Mitigation Guidance

Security teams must act immediately to mitigate these flaws and prevent full system compromise.

1. Patch Affected Packages

  • Apply vendor-provided patches for:

    • PAM configurations (SUSE)

    • libblockdev and udisks2 components (all major distros)

2. Modify Polkit Rules

To block unauthorized privilege escalation:

  • Change the udisks2 policy for the org.freedesktop.udisks2.modify-device action from allow_active to auth_admin.

// /etc/polkit-1/rules.d/99-udisks2.rules
polkit.addRule(function(action, subject) {
    if (action.id == "org.freedesktop.udisks2.modify-device" &&
        subject.isInGroup("wheel")) {
        return polkit.Result.AUTH_ADMIN;
    }
});

This forces authentication for device modification, even for active users.

 Why This Matters

The widespread use of default configurations and core Linux services like PAM and udisks2 makes this a near-universal threat. Exploitation can lead to:

  • Disabling of security monitoring tools

  • Installation of persistent malware

  • Lateral movement across networks

  • Total system takeover

Qualys researchers have successfully demonstrated exploits across Ubuntu, Debian, Fedora, and SUSE, proving the feasibility and danger of these flaws.

 Patch Now, Not Later

The simplicity of the exploit chain and the ubiquity of affected components mean every organization running Linux is potentially vulnerable. The cost of delay could be a full-scale compromise of your infrastructure.

Patch immediately. Review polkit rules. Harden SSH configurations..

Comments

Post a Comment

Popular posts from this blog

The Hidden Lag Killing Your SIEM Efficiency

-
Image
  If your security tools feel slower than they should, you’re not imagining it. Many IT teams blame their sluggish SIEM performance on query complexity or alert volume. But sometimes the real issue is much simpler: oversized input files quietly dragging your system down. Think about the last time you had to sift through a bloated PDF or an unoptimised log dump. Every unnecessary megabyte adds strain. Every redundant line eats up cycles. Your SIEM doesn’t just react to threats—it processes all incoming data, relevant or not. When it starts lagging, detection gets delayed, triage slows, and in the high-stakes world of threat response, even seconds count. We often focus on analytics and rule tuning, but upstream efficiency—what you feed into your system—deserves just as much attention. This article looks at how optimising your inputs unlocks downstream performance. Why Oversized Files Clog the Pipeline As data volumes grow, organisations face esca lating  data storage costs ,...
Read more

Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution

-
Image
Critical Vulnerability in Veeam Backup & Replication Exposes Enterprises to Remote Code Execution By : Rei Ibraima A newly discovered critical vulnerability in Veeam’s Backup & Replication software, designated as CVE-2025-23120, poses a significant security risk to enterprise environments. The flaw allows authenticated domain users to execute arbitrary code remotely, potentially leading to full compromise of backup infrastructures. About CVE-2025-23120 The vulnerability arises from an insecure deserialization issue within Veeam Backup & Replication components—particularly in the .NET classes Veeam.Backup.EsxManager.xmlFrameworkDs and Veeam.Backup.Core.BackupSummary. Improper input validation in these components allows attackers to inject malicious serialized objects that are executed on the server side, resulting in Remote Code Execution (RCE). This issue affects systems where Veeam Backup & Replication is deployed in a domain-joined configuration, which—while common—is...
Read more

Lotus Panda Hacks SE Asian Governments With Browser Stealers and Sideloaded Malware

-
Image
The China-linked cyber espionage group tracked as Lotus Panda has been attributed to a campaign that compromised multiple organizations in an unnamed Southeast Asian country between August 2024 and February 2025. "Targets included a government ministry, an air traffic control organization, a telecoms operator, and a construction company," the Symantec Threat Hunter Team said in a new report shared with The Hacker News. "The attacks involved the use of multiple new custom tools, including loaders, credential stealers, and a reverse SSH tool." The intrusion set is also said to have targeted a news agency located in another country in Southeast Asia and an air freight organization located in another neighboring country. The threat cluster, per Broadcom's cybersecurity division, is assessed to be a continuation of a campaign that was disclosed by the company in December 2024 as a high-profile organization in Southeast Asia since at least October 2023. ...
Read more