Cybersecurity researchers have discovered two local privilege escalation (LPE) flaws that can be exploited to gain root privileges on machines running major Linux distributions.
The vulnerabilities discovered by qualys are listed below –
- CVE-2025-6018 -LPE to allow lpe_Active for Suse 15 pluggable authentication module (PAM)
- CVE-2025-6019 -lpe daemon from low_active to root libblockdev via libblockdev
“These modern ‘local to root’ exploits have broken the gap between normal logged in users and full system acquisitions,” says Saeed Abbasi, senior manager at Qualys Threat Research Unit (TRU).
“By checking for legitimate services such as Udisks Loop-Mounts and PAM/Environment Quirks, attackers who own active GUI or SSH sessions can appear as root in seconds, past Polkit’s Allow_active Trust Zone.”
Cybersecurity companies say that CVE-2025-6018 exists in PAM configurations for OpenSuse Leap 15 and Suse Linux Enterprise 15, allowing special local attackers to be promoted to “Allow_active” users reserved for users with physical presence and can invoke the Polkit action.
Meanwhile, CVE-2025-6019 affects LibblockDev and is exploitable via the UDISKS daemon, which is included by default in most Linux distributions. Essentially, “Allow_Active” users can obtain full route privileges by chaining on CVE-2025-6018.
“Nominally requires the ‘Allow_active’ privilege, but Udisks ships by default to almost all Linux distributions, so almost every system is vulnerable,” Abbasi added. “The techniques for obtaining “Allow_active” including the PAM issues disclosed here further denies that barrier. ”
Once route privileges are obtained, attackers have Cult Blanche access to the system, allowing them to be used as a springboard for a wider range of Compremise actions, including changing security controls and embedding backdoors for secret access.
Qualys said it has developed a proof of concept (POC) exploit to check the existence of these vulnerabilities in a variety of operating systems, including Ubuntu, Debian, Fedora and Opensuse Leap 15.
To mitigate the risks posed by these defects, it is essential to apply patches provided by Linux distribution vendors. As a temporary workaround, the user changes the polkit rule for “org.freedesktop.udisks2.modify-device” to request administrator authentication (“auth_admin”).
Defects disclosed in Linux Pam
This disclosure occurs when a Linux PAM maintainer resolves a high-strength past traversal defect (CVE-2025-6020CVSS score: 7.8) This also allows local users to escalate to root privileges. This issue has been fixed in version 1.7.1.
“The Linux-PAM module PAM_NamesPace <= 1.7.0 allows access to user-controlled paths without proper protection. This allows local users to increase their privileges through multiple Symlink attacks and racial conditions."
Linux systems are vulnerable when using pam_namespace to set up Polyinantiated Directories with a path to a Polyinantiated Directory or Instance directory under user control. As a workaround for CVE-2025-6020, users can disable PAM_NamesPace or confirm that it does not work with user-controlled paths.
Olivier Bal-Petre of Anssi, who reported the defect to the maintainer on January 29, 2025, said that users should also update their names. If you don’t use what was provided by the distribution to ensure that any of the two paths can safely act as root, you need to write a script.
