The Qualys Menace Analysis Unit (TRU) has uncovered two interconnected native privilege escalation (LPE) vulnerabilities—CVE-2025-6018 and CVE-2025-6019—that collectively allow attackers to realize full root entry on a variety of Linux distributions with minimal effort.
These flaws impression each desktop and server installations, and their exploitation requires solely an area person session, resembling SSH, making them a vital threat for enterprises and people alike.
Vulnerabilities Particulars
| CVE | Affected Element | Influence | Affected Distros |
| CVE-2025-6018 | PAM (openSUSE/SLE 15) | allow_active escalation | openSUSE Leap 15, SLE 15 |
| CVE-2025-6019 | libblockdev/udisks | Root privilege | Ubuntu, Debian, Fedora, openSUSE |
CVE-2025-6018: PAM Misconfiguration in SUSE Linux
The primary flaw, CVE-2025-6018, is rooted within the Pluggable Authentication Modules (PAM) configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15.
Resulting from improper session dealing with, PAM can incorrectly grant “allow_active” standing to any native login—together with distant SSH periods—treating distant customers as in the event that they have been bodily current on the console.
This misclassification permits an unprivileged person to invoke privileged polkit actions usually reserved for console customers.
CVE-2025-6019: libblockdev/udisks Privilege Escalation
The second vulnerability, CVE-2025-6019, impacts libblockdev and is exploitable by way of the udisks daemon, which is put in by default on most main Linux distributions, together with Ubuntu, Fedora, Debian, and openSUSE.
If a person already has “allow_active” standing, they’ll exploit this flaw to escalate on to root privileges. Whereas CVE-2025-6019 alone requires this context, chaining it with CVE-2025-6018 permits an unprivileged attacker to attain root entry from scratch.
Exploit Chain and Influence
By chaining these vulnerabilities, any attacker with a primary person account—resembling by way of SSH—can quickly escalate to full root privileges on affected programs.
This chain collapses the normal safety boundary between strange customers and root, enabling attackers to:
- Disable endpoint detection and response (EDR) brokers
- Implant persistent kernel-level backdoors
- Rewrite system configurations for long-term compromise
- Use compromised servers as launchpads for lateral motion throughout networks
Proof-of-concept exploits have demonstrated profitable assaults on Ubuntu, Debian, Fedora, and openSUSE Leap 15, confirming the widespread impression.
Mitigation and Suggestions
Given the ubiquity of udisks and the simplicity of the exploit, organizations should deal with these flaws as a vital, common threat and act instantly:
- Patch Promptly: Apply safety updates for each PAM and libblockdev/udisks as quickly as they’re out there out of your Linux distribution vendor.
- Polkit Rule Hardening: Change the polkit rule for org.freedesktop.udisks2.modify-device from allow_active=sure to auth_admin, requiring administrator authentication for gadget modifications.
- Evaluate Safety Insurance policies: Strengthen polkit guidelines and loop-mount insurance policies to include potential breaches.
Chaining CVE-2025-6018 and CVE-2025-6019 permits any SUSE 15/Leap 15 SSH person to escalate from a standard person to root with default configurations.
This allows agent tampering, persistence, and lateral motion, making each unpatched server a possible threat to the complete fleet. Fast patching and coverage updates are important to shut this vital privilege escalation path.
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Immediate Updates
