Attackers can exploit two newly found native privilege escalation (LPE) vulnerabilities to achieve root privileges on techniques working main Linux distributions.
The primary flaw (tracked as CVE-2025-6018) was discovered within the configuration of the Pluggable Authentication Modules (PAM) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, permitting native attackers to achieve the privileges of the “allow_active” consumer.
The opposite safety bug (CVE-2025-6019) was found in libblockdev, and it permits an “allow_active” consumer to achieve root permissions by way of the udisks daemon (a storage administration service that runs by default on most Linux distributions).
Whereas efficiently abusing the 2 flaws as a part of a “local-to-root” chain exploit can let attackers rapidly achieve root and fully take over a SUSE system, the libblockdev/udisks flaw can also be extraordinarily harmful by itself.
“Though it nominally requires ‘allow_active’ privileges, udisks ships by default on nearly all Linux distributions, so practically any system is weak,” mentioned Qualys TRU senior supervisor Saeed Abbasi.
“Strategies to achieve ‘allow_active,’ together with the PAM challenge disclosed right here, additional negate that barrier. An attacker can chain these vulnerabilities for instant root compromise with minimal effort.”
The Qualys Risk Analysis Unit (TRU), which found and reported each flaws, has developed proof-of-concept exploits and efficiently focused CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and openSUSE Leap 15 techniques.
Admins urged to patch instantly
The Qualys Safety Advisory workforce has shared extra technical particulars concerning these two vulnerabilities right here and linked to safety patches on this Openwall submit.
“Root entry permits agent tampering, persistence, and lateral motion, so one unpatched server endangers the entire fleet. Patch each PAM and libblockdev/udisks all over the place to eradicate this path,” Abbasi added.
“Given the ubiquity of udisks and the simplicity of the exploit, organizations should deal with this as a important, common threat and deploy patches immediately.”
In recent times, Qualys researchers have found a number of different Linux safety vulnerabilities that allow attackers hijack unpatched Linux techniques, even in default configurations.
Safety flaws they found embody a flaw in Polkit’s pkexec part (dubbed PwnKit), one in glibc’s ld.so dynamic loader (Looney Tunables), one other within the Kernel’s filesystem layer (dubbed Sequoia), and one within the Sudo Unix program (aka Baron Samedit).
Shortly after the Looney Tunables flaw was disclosed, proof-of-concept (PoC) exploits have been launched on-line. One month later, attackers started exploiting it to steal cloud service supplier (CSP) credentials utilizing Kinsing malware.
Qualys additionally just lately discovered 5 LPE vulnerabilities launched over 10 years in the past within the needrestart utility utilized by default in Ubuntu Linux 21.04 and later.
Patching used to imply complicated scripts, lengthy hours, and infinite fireplace drills. Not anymore.
On this new information, Tines breaks down how fashionable IT orgs are leveling up with automation. Patch quicker, cut back overhead, and deal with strategic work — no complicated scripts required.
