Linux Distros at Risk: Chaining 2 LPEs for Root Access (CVE-2025-6018/19)
▼ Summary
– Qualys researchers discovered two local privilege escalation vulnerabilities (CVE-2025-6018, CVE-2025-6019) that can be chained to gain root access on most Linux distributions with minimal effort.
– CVE-2025-6018 exploits a misconfiguration in PAM on openSUSE Leap 15 and SUSE Linux Enterprise 15, allowing an unprivileged local attacker to gain “allow_active” privileges as if physically present.
– CVE-2025-6019, exploitable via the udisks daemon, enables attackers with “allow_active” privileges to escalate to root, compromising systems by disabling EDR agents or implanting backdoors.
– Patches have been privately shared with Linux distro developers, and major distributions are already updating libblockdev and udisks packages to fix the flaws.
– Organizations are urged to deploy patches immediately due to the critical risk posed by these easily exploitable vulnerabilities, which are pre-installed on mainstream Linux distros.
Security researchers have identified two critical Linux vulnerabilities that, when combined, allow attackers to gain complete system control with alarming ease. Tracked as CVE-2025-6018 and CVE-2025-6019, these flaws affect multiple major distributions and could enable devastating attacks if left unpatched.
The first vulnerability, CVE-2025-6018, stems from a misconfiguration in Pluggable Authentication Modules (PAM) on openSUSE Leap 15 and SUSE Linux Enterprise 15. This flaw incorrectly treats remote logins, such as those via SSH, as if the user were physically present at the console. Attackers exploiting this weakness can obtain “allow_active” privileges, which are typically reserved for local users.
Once these privileges are secured, attackers can leverage CVE-2025-6019, a flaw in libblockdev, to escalate to full root access. This second vulnerability exploits the udisks daemon, a default component in nearly all Linux distributions. With root privileges, an attacker can disable security tools, install persistent backdoors, or pivot to other systems within a network.
Qualys researchers confirmed successful exploitation on Ubuntu, Debian, Fedora, and openSUSE Leap 15, demonstrating the widespread risk. Proof-of-concept exploits have been released, and patches were distributed privately to vendors last week.
Saeed Abbasi, Senior Manager at Qualys, emphasized the severity of these flaws: “Attackers can chain these vulnerabilities to bypass security controls effortlessly. No special tools are needed—everything required is already present in standard Linux installations.”
The udisks2 policy plays a key role in the attack. By default, it permits any active user to modify devices without administrative authentication. Mitigation requires updating policies to enforce stricter access controls.
Major distributions have begun rolling out fixes, including updates to libblockdev and udisks packages. Organizations are urged to apply patches immediately, as the combination of these flaws presents a critical risk to Linux systems.
For ongoing updates on emerging threats, subscribe to cybersecurity bulletins to stay ahead of potential breaches.
(Source: HelpNet Security)
