Analysis Summary

Two interconnected high-severity vulnerabilities, CVE-2025-6018 and CVE-2025-6019, have been discovered by the Research Unit, allowing unprivileged attackers to escalate privileges and ultimately gain root access on major Linux distributions. Affecting millions of systems globally, these flaws represent a critical security emergency requiring immediate attention. The first flaw (CVE-2025-6018) resides in the Pluggable Authentication Modules (PAM) configuration in openSUSE Leap 15 and SUSE Linux Enterprise 15. It enables users connecting via SSH to be incorrectly granted “allow_active” status, which should only be available to physically present users. This misconfiguration effectively grants remote attackers elevated access rights, serving as the entry point for the second, more severe exploit.

CVE-2025-6019 targets the libblockdev package and the udisks daemon, components that are pre-installed on almost all mainstream Linux distributions, including Ubuntu, Debian, Fedora, and openSUSE. Once an attacker obtains “allow_active” privileges through the initial exploit or direct console access, this second vulnerability allows them to abuse the “org.freedesktop. udisks2. modify-device” polkit action. By manipulating this interface, attackers can execute arbitrary code as root via the D-Bus communication channel, which udisks uses to interact with libblockdev for managing storage devices.

The danger of this vulnerability chain lies in its exploitation of fundamental Linux system services and its broad impact on default configurations. PAM controls user authentication and privileges, while udisks and libblockdev manage device-level operations. The combination of an overly permissive PAM setup and liberal polkit rules on device modification actions results in a simple yet powerful escalation path. This chain has been successfully demonstrated by Researchers across multiple popular distributions, confirming its feasibility in real-world environments.

Immediate mitigations are strongly advised. System administrators should reconfigure polkit rules by changing the “allow_active” setting of the udisks2 modify-device action to “auth_admin”, which enforces admin authentication. This can be done by editing or adding rule files in /etc/polkit-1/rules.d/. Additionally, patching both PAM configurations and the libblockdev/udisks components should be prioritized organization-wide. Given that root access allows attackers to disable defenses, implant persistent malware, and pivot across networks, these flaws pose a serious threat to enterprise security and demand swift remediation.

Impact

• Privilege Escalation
• Gain Access
• Code Execution

Indicators of Compromise

CVE

• CVE-2025-6018

• CVE-2025-6019

Affected Vendors

Remediation

• Apply the latest security patches for openSUSE Leap 15, SUSE Linux Enterprise 15, and libblockdev/udisks packages on all affected distributions like Ubuntu, Debian, and Fedora
• Modify polkit rules for the org.freedesktop.udisks2.modify-device action by changing the allow_active setting from yes to auth_admin.
• Create or update rule files in /etc/polkit-1/rules.d/ to enforce administrator authentication for device modification.
• Review and fix PAM configurations on SUSE-based systems to ensure SSH users are not granted “allow_active” status mistakenly.
• Restrict SSH access to only trusted users and implement multi-factor authentication for additional security.
• Monitor system and polkit logs for suspicious activity, especially involving privilege escalations or udisks interactions.
• Use tools like SELinux or AppArmor to limit access and contain the impact of potential exploitation.
• Temporarily isolate unpatched or vulnerable systems from the broader network until remediations are applied.
• Perform vulnerability scans across the Linux infrastructure to detect and remediate exposed systems or misconfigurations.