Critical Linux Vulnerabilities Identified Enabling Root Access Exploitation

Two new vulnerabilities have been identified in widely used Linux components, posing significant risks by enabling unprivileged users to gain root access across various popular distributions.

The first vulnerability, classified as CVE-2025-6018, pertains to a local privilege escalation (LPE) flaw within the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. This misconfiguration enables any local login session, including remote sessions via SSH, to be treated as if the user were physically present at the machine. This status, referred to as “allow_active,” grants access to specific privileged operations that are typically restricted to users with direct access to the device.

The second vulnerability, CVE-2025-6019, exists in libblockdev and can be triggered through the udisks daemon, which is present by default on nearly all Linux distributions. Upon obtaining the allow_active status, this oversight offers complete root access.

Together, these vulnerabilities create an uncomplicated and risky pathway from unprivileged access to root privileges.

Exploit Chain Impacts Multiple Distributions

The udisks daemon, along with its libblockdev backend, is utilized for managing disks and storage devices. These components are designed to provide heightened privileges to users designated as “active.” However, the PAM misconfiguration undermines this trust model, converting standard sessions into potential security threats.

The exploit chain is particularly alarming as it does not require additional software or physical access; a mere SSH login to a vulnerable system suffices.

Qualys Threat Research Unit (TRU) has successfully demonstrated this exploit chain on various distributions including Ubuntu, Debian, Fedora, and openSUSE Leap 15. The ease with which attackers can transition from a standard SSH session to full root privileges using only components that come pre-installed underscores the severity of this issue.

Researchers from TRU stated, “Nothing exotic is required. Each link is pre-installed on mainstream Linux distributions and their server builds.”

Key risks associated with these vulnerabilities include:

– Complete system takeover
– Evasion of endpoint detection tools
– Installation of persistent backdoors
– Potential fleet-wide compromise via lateral movement

Mitigation and Recommendations

Security teams are strongly urged to apply patches for both vulnerabilities without delay.

Additional recommendations include:

– Modifying the default polkit rule for org.freedesktop.udisks2.modify-device
– Changing the allowactive setting from yes to authadmin
– Following vendor advisories for platforms such as SUSE, Ubuntu, and others

Failure to act promptly may leave entire fleets susceptible to compromise. The root access obtained through this exploit permits undetectable persistence and enables cross-system attacks, thereby amplifying the risks to enterprise infrastructure.