Attackers can exploit two newly discovered local privilege escalation (LPE) vulnerabilities to gain root privileges on systems running major Linux distributions. The first flaw (tracked as CVE-2025-6018) was found in the configuration of the Pluggable Authentication Modules (PAM) framework on openSUSE Leap 15 and SUSE Linux Enterprise 15, allowing local attackers to gain the privileges of the "allow_active" user. The other security bug (CVE-2025-6019) was discovered in libblockdev, and it enables an "allow_active" user to gain root permissions via the udisks daemon (a storage management service that runs by default on most Linux distributions). While successfully abusing the two flaws as part of a "local-to-root" chain exploit can let attackers quickly gain root and completely take over a SUSE system, the libblockdev/udisks flaw is also extremely dangerous on its own. "Although it nominally requires 'allow_active' privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable," said Qualys TRU senior manager Saeed Abbasi. "Techniques to gain 'allow_active,' including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort." The Qualys Threat Research Unit (TRU), which discovered and reported both flaws, has also developed proof-of-concept exploits and successfully targeted CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and openSUSE Leap 15 systems. Admins urged to patch immediately The Qualys Security Advisory team has shared more technical details regarding these two vulnerabilities here and linked to security patches in this Openwall post. "Root access enables agent tampering, persistence, and lateral movement, so one unpatched server endangers the whole fleet. Patch both PAM and libblockdev/udisks everywhere to eliminate this path," Abbasi added. "Given the ubiquity of udisks and the simplicity of the exploit...
First seen: 2025-06-23 08:04
Last seen: 2025-06-24 00:09