Critical Linux Privilege Escalation Vulnerabilities Let Attackers Gain Full Root Access
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
Two critical, interconnected flaws, CVE-2025-6018 and CVE-2025-6019, enable unprivileged attackers to achieve root access on major Linux distributions.<\/p>\n
Affecting millions worldwide, these vulnerabilities pose a severe security emergency that demands immediate patching.<\/p>\n
The first vulnerability exploits PAM configuration weaknesses in SUSE systems, while the second leverages the ubiquitous udisks daemon to escalate privileges to root level, creating a perfect storm for system compromise.<\/p>\n
The vulnerability chain uncovered by Qualys Threat Research Unit begins with CVE-2025-6018, a local privilege escalation flaw residing in the Pluggable Authentication Modules (PAM) configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15.\u00a0<\/p>\n
This misconfiguration allows unprivileged attackers connecting via SSH to elevate their status to \u201callow_active\u201d users, a designation typically reserved for physically present users at the console.\u00a0<\/p>\n
This initial foothold becomes the launching point for the more devastating second attack.<\/p>\n
CVE-2025-6019 targets libblockdev, a critical library accessible through the udisks daemon that ships by default on virtually all Linux distributions<\/a>.\u00a0<\/p>\n Once an attacker achieves \u201callow_active\u201d status, this vulnerability provides a direct pathway to full root privileges.\u00a0<\/p>\n The combination is particularly dangerous because udisks is pre-installed on mainstream distributions including Ubuntu, Debian, Fedora, and openSUSE, making the attack surface nearly universal.\u00a0<\/p>\n Qualys researchers have successfully demonstrated proof-of-concept exploits across these platforms, confirming the widespread nature of the threat.<\/p>\n The attack leverages fundamental Linux system components that handle authentication and device management.\u00a0<\/p>\n The PAM framework controls user authentication and session establishment, determining which users qualify as \u201cactive\u201d for privileged operations.<\/p>\n In affected SUSE systems, the PAM stack incorrectly treats remote SSH sessions as equivalent to local console access, granting polkit permissions that should remain restricted to physically present users.<\/p>\n The second stage exploits the udisks2 service, which provides a D-Bus interface for storage management operations including mounting, querying, and formatting block devices, reads the report<\/a>.<\/p>\n The service communicates with libblockdev to perform low-level device operations. The vulnerability specifically targets the \u201corg.freedesktop.udisks2.modify-device\u201d polkit action, which by default allows any active user to modify devices.\u00a0<\/p>\n An attacker with \u201callow_active\u201d status can manipulate this interface to execute arbitrary code with root privileges, completing the privilege escalation chain.<\/p>\n