Critical Linux Vulnerabilities Allow Attackers to Gain Root Access

Security researchers have identified two critical local privilege escalation (LPE) vulnerabilities affecting a wide range of Linux distributions. When chained, these flaws allow attackers to instantly elevate their privileges to root, posing a universal risk to systems running default configurations.

PAM Misconfiguration Opens the Door on SUSE Systems

The first vulnerability, CVE-2025-6018, stems from a misconfiguration in the Pluggable Authentication Modules (PAM) framework. This issue affects openSUSE Leap 15 and SUSE Linux Enterprise 15, enabling local users to escalate their privileges to those of the “allow_active” user — a gateway role that can lead to further privilege escalation.

libblockdev/Udisks Flaw Impacts Most Major Distros

The second flaw, CVE-2025-6019, resides in the libblockdev library and interacts with the udisks daemon, a service used by default on nearly all major Linux distributions. An attacker with allow_active privileges can exploit this bug to gain full root access.

This vulnerability is especially dangerous because udisks ships by default, even on hardened systems. Although exploitation nominally requires allow_active status, researchers warn that gaining this level of access is trivial on many systems — especially when combined with the PAM issue.

Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Local-to-Root Chain Enables Full System Takeover

According to Qualys Threat Research Unit (TRU), chaining the two vulnerabilities can provide immediate root-level access. The team has successfully demonstrated this chain exploit on Ubuntu, Debian, Fedora, and openSUSE Leap 15, using proof-of-concept (PoC) code developed during their research.

“These vulnerabilities remove nearly all barriers to root access,” said Saeed Abbasi, TRU Senior Manager. “The simplicity of the exploit combined with its widespread impact makes this an urgent risk.”

Admins Urged to Patch Immediately

Qualys urges system administrators to patch both flaws without delay. The organization has published technical details and linked to mitigation instructions via Openwall’s security post. Delaying patching could put entire infrastructure fleets at risk.

“One unpatched system can compromise an entire environment,” Abbasi added. “Root access allows attackers to tamper with agents, establish persistence, and move laterally.”

Qualys Track Record: A Warning From Past Exploits

These latest findings add to a growing list of critical flaws discovered by Qualys in recent years. Notable past vulnerabilities include:

• PwnKit (Polkit’s pkexec)
• Looney Tunables (glibc’s ld.so)
• Sequoia (Kernel filesystem LPE)
• Baron Samedit (Sudo’s heap overflow bug)

All of these flaws were found to be exploitable in default installations — and some, like Looney Tunables, were exploited in the wild just weeks after disclosure.

Qualys also recently uncovered five long-standing LPEs in the needrestart utility, a tool used by default in Ubuntu Linux 21.04 and later.

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link