Critical Privilege Escalation Flaws Grant Full Root Access on Multiple Linux Distros

The Qualys Threat Research Unit (TRU) has uncovered two interconnected local privilege escalation (LPE) vulnerabilities—CVE-2025-6018 and CVE-2025-6019—that together enable attackers to gain full root access on a wide range of Linux distributions with minimal effort. 

These flaws impact both desktop and server installations, and their exploitation requires only a local user session, such as SSH, making them a critical risk for enterprises and individuals alike.

Vulnerabilities Details

CVE-2025-6018: PAM Misconfiguration in SUSE Linux

The first flaw, CVE-2025-6018, is rooted in the Pluggable Authentication Modules (PAM) configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. 

Due to improper session handling, PAM can incorrectly grant “allow_active” status to any local login—including remote SSH sessions—treating remote users as if they were physically present at the console.

This misclassification allows an unprivileged user to invoke privileged polkit actions typically reserved for console users.

CVE-2025-6019: libblockdev/udisks Privilege Escalation

The second vulnerability, CVE-2025-6019, affects libblockdev and is exploitable via the udisks daemon, which is installed by default on most major Linux distributions, including Ubuntu, Fedora, Debian, and openSUSE. 

If a user already has “allow_active” status, they can exploit this flaw to escalate directly to root privileges. While CVE-2025-6019 alone requires this context, chaining it with CVE-2025-6018 allows an unprivileged attacker to achieve root access from scratch.

Exploit Chain and Impact

By chaining these vulnerabilities, any attacker with a basic user account—such as via SSH—can rapidly escalate to full root privileges on affected systems. 

This chain collapses the traditional security boundary between ordinary users and root, enabling attackers to:

• Disable endpoint detection and response (EDR) agents
• Implant persistent kernel-level backdoors
• Rewrite system configurations for long-term compromise
• Use compromised servers as launchpads for lateral movement across networks

Proof-of-concept exploits have demonstrated successful attacks on Ubuntu, Debian, Fedora, and openSUSE Leap 15, confirming the widespread impact.

Mitigation and Recommendations

Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat these flaws as a critical, universal risk and act immediately:

• Patch Promptly: Apply security updates for both PAM and libblockdev/udisks as soon as they are available from your Linux distribution vendor.
• Polkit Rule Hardening: Change the polkit rule for org.freedesktop.udisks2.modify-device from allow_active=yes to auth_admin, requiring administrator authentication for device modifications.
• Review Security Policies: Strengthen polkit rules and loop-mount policies to contain potential breaches.

Chaining CVE-2025-6018 and CVE-2025-6019 allows any SUSE 15/Leap 15 SSH user to escalate from a normal user to root with default configurations.

This enables agent tampering, persistence, and lateral movement, making every unpatched server a potential risk to the entire fleet. Immediate patching and policy updates are essential to close this critical privilege escalation path.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates