CVE-2025-7493: Critical Flaw in FreeIPA Allows Host Users to Escalate to Domain Administrator

The FreeIPA Team has released a security advisory addressing a critical privilege escalation vulnerability (CVE-2025-7493) that could allow attackers to escalate privileges from a host-level account to a domain administrator. With a CVSS score of 9.1, this flaw poses a severe risk to organizations using FreeIPA for identity and authentication management.

FreeIPA is widely deployed as an integrated security information management platform, combining Linux (Fedora), 389 Directory Server, MIT Kerberos, DNS, NTP, and Dogtag for certificate services. A FreeIPA server provides centralized authentication, authorization and account information by storing data about user, groups, hosts and other objects necessary to manage the security aspects of a network of computers.

This centralized role makes FreeIPA environments high-value targets for attackers.

The new vulnerability is described as a continuation of CVE-2025-4404, where incomplete uniqueness checks in Kerberos attributes left gaps that could be exploited.

The FreeIPA Team explains: “In CVE-2025-4404 it was found that uniqueness of the canonical Kerberos principal name and its aliases was not complete. We further found that cross-attribute uniqueness was not possible to enforce in 389-ds LDAP server. As a result, it was still possible to add an alias of ‘root’ to a Kerberos service principal controlled by a system already enrolled into IPA.”

This weakness could allow an attacker to masquerade as the root user within a domain, gaining full administrative privileges.

To address this, the 389-ds LDAP server uniqueness plugin was extended to enforce cross-attribute uniqueness checks with custom LDAP match rules. The fix for CVE-2025-7493 relies on these upstream changes.

Additionally, the FreeIPA Team has tightened Kerberos policy by rejecting tickets that lack a Privilege Attribute Certificate (PAC) structure. The advisory notes: “PAC structure in Kerberos tickets contains a number of individual buffers that encode information about the Kerberos client principal available to Kerberos KDC. The structure is cryptographically signed and also contains additional signatures that can be validated by both KDC and the service that will receive the ticket.”

FreeIPA 4.12.5 includes the complete fix for CVE-2025-7493. Administrators running earlier versions are strongly advised to upgrade to 4.12.5 or later to ensure that the patched 389-ds LDAP uniqueness checks and PAC enforcement policies are applied.

Since FreeIPA 4.9.0, deployments have been configured to associate Security Identifiers (SIDs) with accounts and issue PACs, enabling stronger validation and preventing identity spoofing.

While the fixes significantly reduce exploitation risk, the advisory warns that environments without PAC issuance remain vulnerable: “The fix at the Kerberos KDC side cannot help in the environments where SIDs aren’t associated with the Kerberos principals and no PAC is issued at all.”

Administrators are urged to upgrade their deployments and enable SID and PAC generation to mitigate identity spoofing risks.

Related Posts:

• Critical Privilege Escalation Flaw in FreeIPA Threatens Linux Domain Security
• Beyond Lobbying: Meta Creates a Super PAC to Shape AI Policy in California
• Zero-Day Alert: Remotely Escalate Privileges to SYSTEM via Kerberos Relay – PoC Available
• Phasing Out NTLM: Windows 11’s Commitment to Kerberos
• Microsoft’s August Patch Tuesday: Zero-Day Kerberos Flaw Threatens Domain Admins