Ddos 
The Qualys Threat Research Unit (TRU) has unveiled two interconnected privilege escalation vulnerabilities—CVE-2025-6018 and CVE-2025-6019—that can allow any local attacker to gain full root access on a wide range of Linux distributions with minimal effort. This powerful LPE (Local Privilege Escalation) chain, leveraging flaws in both PAM configurations and the libblockdev/udisks stack, is being described as a “critical, universal risk” due to its simplicity and widespread impact.
“An attacker can chain these vulnerabilities for immediate root compromise with minimal effort,” the TRU report warns.
The first vulnerability, tracked as CVE-2025-6018, resides in the Pluggable Authentication Modules (PAM) configuration on openSUSE Leap 15 and SUSE Linux Enterprise 15. Due to improper session handling, the PAM stack erroneously grants “allow_active” status to remote SSH users—essentially treating them as if they were physically present at the machine.
“A misconfiguration here can treat any local login—including remote SSH sessions—as if the user were at the console,” explains TRU.
This allows an unprivileged attacker to access restricted polkit operations, paving the way for further privilege escalation.
The second flaw, tracked as CVE-2025-6019, lies in the udisks daemon, which interacts with libblockdev to manage storage devices. This service runs by default on most major Linux distributions—including Ubuntu, Fedora, Debian, and openSUSE. If a user already holds the “allow_active” status, they can exploit this flaw to gain full root privileges.
“This libblockdev/udisks flaw is extremely significant,” the researchers state. “Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk.”
Chaining both vulnerabilities enables an attacker to escalate from unprivileged user to root without needing physical access.
The TRU team developed proof-of-concept (PoC) exploits that successfully demonstrate root-level access on several major Linux platforms. No exotic techniques are required—just a local user session, SSH access, and default services.
“These modern ‘local-to-root’ exploits have collapsed the gap between an ordinary logged-in user and a full system takeover,” warns TRU.
Organizations running Linux systems—particularly openSUSE Leap 15 and SUSE Linux Enterprise 15—should immediately apply patches and review polkit rules.
To mitigate CVE-2025-6019, modify the polkit rule for org.freedesktop.udisks2.modify-device. Change the allow_active setting from yes to auth_admin.
“Always prioritize patches and follow specific instructions from your Linux distribution vendor’s advisory,” urges TRU.
Full technical details and mitigation guidance are available here.
Related Posts:
- How Attackers Exploit PAM’s Modular Design on Linux
- Broadcom Urges Immediate Patching for Critical Symantec PAM Vulnerabilities
- Symantec PAM Patches Critical Security Flaw – CVE-2025-24503 (CVSSv4 9.3)
- CVE-2024-47191: Critical Flaw in OATH-Toolkit PAM Module Could Lead to Root Exploits
- SocGholish Campaign Targets Business Networks via Fake Browser Updates
Donate