Attackers can exploit two newly found native privilege escalation (LPE) vulnerabilities to achieve root privileges on methods working main Linux distributions.
The primary flaw (tracked as CVE-2025-6018) was discovered within the configuration of the Pluggable Authentication Modules (PAM) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, permitting native attackers to achieve the privileges of the “allow_active” consumer.
The opposite safety bug (CVE-2025-6019) was found in libblockdev, and it permits an “allow_active” consumer to achieve root permissions through the udisks daemon (a storage administration service that runs by default on most Linux distributions).
Whereas efficiently abusing the 2 flaws as a part of a “local-to-root” chain exploit can let attackers rapidly achieve root and fully take over a SUSE system, the libblockdev/udisks flaw can be extraordinarily harmful by itself.
“Though it nominally requires ‘allow_active’ privileges, udisks ships by default on nearly all Linux distributions, so practically any system is susceptible,” mentioned Qualys TRU senior supervisor Saeed Abbasi.
“Strategies to achieve ‘allow_active,’ together with the PAM challenge disclosed right here, additional negate that barrier. An attacker can chain these vulnerabilities for instant root compromise with minimal effort.”
The Qualys Menace Analysis Unit (TRU), which found and reported each flaws, has developed proof-of-concept exploits and efficiently focused CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and openSUSE Leap 15 methods.
Admins urged to patch instantly
The Qualys Safety Advisory crew has shared extra technical particulars concerning these two vulnerabilities right here and linked to safety patches on this Openwall submit.
“Root entry permits agent tampering, persistence, and lateral motion, so one unpatched server endangers the entire fleet. Patch each PAM and libblockdev/udisks all over the place to eradicate this path,” Abbasi added.
“Given the ubiquity of udisks and the simplicity of the exploit, organizations should deal with this as a essential, common danger and deploy patches directly.”
Lately, Qualys researchers have found a number of different Linux safety vulnerabilities that permit attackers hijack unpatched Linux methods, even in default configurations.
Safety flaws they found embrace a flaw in Polkit’s pkexec part (dubbed PwnKit), one in glibc’s ld.so dynamic loader (Looney Tunables), one other within the Kernel’s filesystem layer (dubbed Sequoia), and one within the Sudo Unix program (aka Baron Samedit).
Shortly after the Looney Tunables flaw was disclosed, proof-of-concept (PoC) exploits have been launched on-line. One month later, attackers started exploiting it to steal cloud service supplier (CSP) credentials utilizing Kinsing malware.
Qualys additionally lately discovered 5 LPE vulnerabilities launched over 10 years in the past within the needrestart utility utilized by default in Ubuntu Linux 21.04 and later.
Patching used to imply complicated scripts, lengthy hours, and limitless hearth drills. Not anymore.
On this new information, Tines breaks down how trendy IT orgs are leveling up with automation. Patch sooner, scale back overhead, and give attention to strategic work — no complicated scripts required.
