CISA Alerts: Hackers Exploiting Critical Linux Flaw
▼ Summary
– CISA warns U.S. federal agencies about attackers exploiting a high-severity Linux kernel vulnerability (CVE-2023-0386) in OverlayFS to gain root privileges.
– The flaw, patched in January 2023, stems from improper ownership management and affects major Linux distributions like Debian, Ubuntu, and Red Hat.
– Proof-of-concept exploits shared on GitHub since May 2023 have made attacks easier, raising patching urgency for Linux admins.
– Federal agencies must patch affected Linux systems by July 8 under CISA’s directive, as the flaw is now actively exploited.
– Qualys researchers also identified two other local privilege escalation vulnerabilities (like CVE-2025-6019) impacting major Linux distributions.
Federal agencies are racing to patch a critical Linux kernel vulnerability after CISA confirmed active exploitation attempts targeting unpatched systems. The security flaw, tracked as CVE-2023-0386, enables attackers to escalate privileges and gain root access through weaknesses in the OverlayFS subsystem.
This high-risk vulnerability stems from improper ownership management within the Linux kernel, allowing unauthorized execution of setuid files with elevated capabilities. Security experts warn the bug affects major distributions including Debian, Ubuntu, Red Hat, and Amazon Linux when running kernel versions below 6.2. While a fix became available in January 2023, widespread public disclosure and proof-of-concept exploits appearing on GitHub in May have accelerated attacks.
CISA has added the flaw to its Known Exploited Vulnerabilities catalog, requiring all federal civilian agencies to apply patches by July 8 under Binding Operational Directive 22-01. The agency emphasized that such vulnerabilities represent prime targets for cybercriminals, with active exploitation now confirmed.
Independent analysis by Datadog Security Labs reveals the exploit requires minimal effort to execute, compounding risks for organizations running outdated systems. Attackers leverage a uid mapping error when copying capable files between mounts, bypassing security restrictions to achieve privilege escalation.
Separately, Qualys Threat Research Unit identified two additional local privilege escalation vulnerabilities (including CVE-2025-6019) impacting multiple Linux distributions. Researchers demonstrated successful root access exploitation on Debian, Ubuntu, Fedora, and openSUSE during testing.
System administrators are urged to prioritize kernel updates immediately, particularly for internet-facing servers and critical infrastructure. The combination of available exploit code and confirmed malicious activity creates a narrow window for mitigation before widespread attacks intensify.
(Source: Bleeping Computer)
