Attackers can exploit two newly found native privilege escalation (LPE) vulnerabilities to achieve root privileges on methods working main Linux distributions.
The primary flaw (tracked as CVE-2025-6018) was discovered within the configuration of the Pluggable Authentication Modules (PAM) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, permitting native attackers to achieve the privileges of the “allow_active” consumer.
The opposite safety bug (CVE-2025-6019) was found in libblockdev, and it allows an “allow_active” consumer to achieve root permissions by way of the udisks daemon (a storage administration service that runs by default on most Linux distributions).
Whereas efficiently abusing the 2 flaws as a part of a “local-to-root” chain exploit can let attackers shortly acquire root and fully take over a SUSE system, the libblockdev/udisks flaw can be extraordinarily harmful by itself.
“Though it nominally requires ‘allow_active’ privileges, udisks ships by default on virtually all Linux distributions, so practically any system is susceptible,” stated Qualys TRU senior supervisor Saeed Abbasi.
“Methods to achieve ‘allow_active,’ together with the PAM challenge disclosed right here, additional negate that barrier. An attacker can chain these vulnerabilities for speedy root compromise with minimal effort.”
The Qualys Risk Analysis Unit (TRU), which found and reported each flaws, has developed proof-of-concept exploits and efficiently focused CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and openSUSE Leap 15 methods.
Admins urged to patch instantly
The Qualys Safety Advisory crew has shared extra technical particulars concerning these two vulnerabilities right here and linked to safety patches on this Openwall submit.
“Root entry allows agent tampering, persistence, and lateral motion, so one unpatched server endangers the entire fleet. Patch each PAM and libblockdev/udisks all over the place to remove this path,” Abbasi added.
“Given the ubiquity of udisks and the simplicity of the exploit, organizations should deal with this as a vital, common threat and deploy patches directly.”
In recent times, Qualys researchers have found a number of different Linux safety vulnerabilities that permit attackers hijack unpatched Linux methods, even in default configurations.
Safety flaws they found embody a flaw in Polkit’s pkexec part (dubbed PwnKit), one in glibc’s ld.so dynamic loader (Looney Tunables), one other within the Kernel’s filesystem layer (dubbed Sequoia), and one within the Sudo Unix program (aka Baron Samedit).
Shortly after the Looney Tunables flaw was disclosed, proof-of-concept (PoC) exploits had been launched on-line. One month later, attackers started exploiting it to steal cloud service supplier (CSP) credentials utilizing Kinsing malware.
Qualys additionally lately discovered 5 LPE vulnerabilities launched over 10 years in the past within the needrestart utility utilized by default in Ubuntu Linux 21.04 and later.
Patching used to imply complicated scripts, lengthy hours, and countless hearth drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, scale back overhead, and deal with strategic work — no complicated scripts required.
