Attackers can exploit two newly discovered local privilege escalation (LPE) vulnerabilities to gain root privileges on systems running major Linux distributions.
The first flaw (tracked as CVE-2025-6018) was found in the configuration of the Pluggable Authentication Modules (PAM) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, allowing local attackers to gain the privileges of the “allow_active” user.
The other security bug (CVE-2025-6019) was discovered in libblockdev, and it enables an “allow_active” user to gain root permissions via the udisks daemon (a storage management service that runs by default on most Linux distributions).
While successfully abusing the two flaws as part of a “local-to-root” chain exploit can let attackers quickly gain root and completely take over a SUSE system, the libblockdev/udisks flaw is also extremely dangerous on its own.
“Although it nominally requires ‘allow_active’ privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable,” said Qualys TRU senior manager Saeed Abbasi.
“Techniques to gain ‘allow_active,’ including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort.”
The Qualys Threat Research Unit (TRU), which discovered and reported both flaws, has developed proof-of-concept exploits and successfully targeted CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and openSUSE Leap 15 systems.
Admins urged to patch immediately
The Qualys Security Advisory team has shared more technical details regarding these two vulnerabilities here and linked to security patches in this Openwall post.
“Root access enables agent tampering, persistence, and lateral movement, so one unpatched server endangers the whole fleet. Patch both PAM and libblockdev/udisks everywhere to eliminate this path,” Abbasi added.
“Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay.”
In recent years, Qualys researchers have discovered several other Linux security vulnerabilities that let attackers hijack unpatched Linux systems, even in default configurations.
Security flaws they discovered include a flaw in Polkit’s pkexec component (dubbed PwnKit), one in glibc’s ld.so dynamic loader (Looney Tunables), another in the Kernel’s filesystem layer (dubbed Sequoia), and one in the Sudo Unix program (aka Baron Samedit).
Shortly after the Looney Tunables flaw was disclosed, proof-of-concept (PoC) exploits were released online. One month later, attackers began exploiting it to steal cloud service provider (CSP) credentials using Kinsing malware.
Qualys also recently found five LPE vulnerabilities introduced over 10 years ago in the needrestart utility used by default in Ubuntu Linux 21.04 and later.
Patching used to mean complex scripts, long hours, and endless fire drills. Not anymore.
In this new guide, Tines breaks down how modern IT orgs are leveling up with automation. Patch faster, reduce overhead, and focus on strategic work — no complex scripts required.
Source link
-
-
-
-
-
-
-
-
