[German]Security researchers from Qualys TRU have uncovered two linked, critical vulnerabilities in Linux. Starting with SUSE 15, the LPE chain leads directly to root access in standard configurations of many Linux distributions.
Advertising
Qualys TRU (Threat Research Unit), Qualys, Inc. cloud-based IT, security and compliance solutions provider Qualys TRU has discovered two closely linked vulnerabilities (CVE-2025-6018 and CVE-2025-6019).security researchers at Qualys TRU have uncovered two linked critical vulnerabilities in Linux. Starting with SUSE 15, the LPE chain leads directly to root access in standard configurations of many Linux distributions.
- CVE-2025-6018: LPE from unprivileged to allow_active in *SUSE 15's PAM
- CVE-2025-6019: LPE from allow_active to root in libblockdev via udisks
Their combination allows attackers to gain root access to Linux systems with a standard configuration.
Details of the vulnerabilities
The first vulnerability (CVE-2025-6018) is located in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. An unprivileged local user, for example via an SSH connection, can exploit this vulnerability to gain the status of an "allow_active" user and then perform polkit actions that are normally reserved for physically present users.
The second vulnerability (CVE-2025-6019) affects libblockdev, can be exploited via the udisks daemon, which is included by default in most Linux distributions, and allows an "allow_active" user to gain full root privileges. While CVE-2025-6019 on its own requires the existing "allow_active" status, the combination with CVE-2025-6018 allows even a completely unprivileged attacker to gain root access.
The vulnerability in libblockdev/udisks is of particular relevance. Although it nominally requires "allow_active" status, the udisks daemon is installed by default on almost all Linux distributions, making almost all systems potentially vulnerable. Techniques to gain "allow_active" status, including the PAM vulnerability described here, effectively remove this hurdle. An attacker can combine both vulnerabilities and gain root access with minimal effort. Due to the widespread use of udisks and the ease with which this attack chain can be exploited, organizations should consider this threat to be critical and universal and apply the available security updates immediately.
Advertising
The Qualys Threat Research Unit (TRU) has developed proof-of-concept exploits to validate these vulnerabilities on various operating systems. The libblockdev/udisks vulnerability was successfully exploited on Ubuntu, Debian, Fedora and openSUSE Leap 15.
Functionality of PAM and udisks/libblockdev
PAM-Konfiguration in openSUSE/SLE 15: The Pluggable Authentication Modules (PAM) framework controls how users authenticate and start sessions on Linux systems. In openSUSE/SLE 15, the PAM stack is configured to determine which users are considered "active" – i.e. physically present on the system – and are therefore allowed to perform certain privileged actions. A misconfiguration can result in every local login, including via SSH, being treated as if the user were sitting directly at the console. This "allow_active" status normally allows access to certain polkit operations that are reserved for physically present users. If this mechanism is used incorrectly, non-privileged users can perform actions that they should not actually be allowed to perform.
udisks-Daemon und libblockdev: The udisks service runs as standard on most Linux systems and provides an interface for storage management via D-Bus – including mounting, querying and formatting data carriers. Internally, udisks accesses libblockdev, a library for processing low-level block device operations. A vulnerability in libblockdev accessible via udisks allows any user with "allow_active" status to gain root privileges directly. Because udisks is so widely used, understanding its function and dependency on libblockdev is critical. udisks acts as a link between a user's session rights and device management functions. A vulnerability at this point can allow complete system control.
Possible effects
These modern "local-to-root" exploits bridge the gap between an ordinary logged-in user and a complete system takeover. By chaining legitimate services such as udisks loop mounts and special features in the PAM and environment configuration, attackers with an active GUI or SSH session can overcome the trust limit of polkit ("allow_active") and gain root privileges within seconds. No exotic skills are required for this, as all the components used are pre-installed in common Linux distributions and their server variants.
Root access is the most serious type of vulnerability. An attacker can use it to undetectably disable EDR agents, install kernel backdoors for persistent code execution or manipulate system configurations that survive reboots. Such compromised servers can serve as a starting point for lateral movement in the network. Exploits that target server packages installed by default can spread from a single compromised system to entire fleets. To reduce this risk, updates should be applied system-wide and security measures such as polkit rules and loop-mount policies should be tightened. This broad strategy helps to contain an initial compromise and protect the entire network.
Protection against the libblockdev/udisks vulnerability
The default Polkit policy for the "org.freedesktop.udisks2.modify-device" action may allow any active user to modify devices. This configuration can be exploited to bypass security mechanisms. To prevent this, the policy should be modified to require administrator authentication for this action.
To mitigate this vulnerability, the Polkit rule for "org.freedesktop.udisks2.modify-device" should be adjusted. The value for "allow_active" should be changed from 'yes' to "auth_admin". In addition, always prioritize available security updates and follow the specific recommendations of the respective Linux distribution.
Conclusion
The combination of CVE-2025-6018 and CVE-2025-6019 allows an SSH user on SUSE 15/Leap 15 with default configuration to change from a normal user to a root user. One vulnerability provides the "allow_active" status, the other exploits this status to gain full root privileges – with pre-installed components. Root access makes it possible to manipulate security agents, create persistence and move laterally in the network. An unpatched server can therefore pose a risk to an entire infrastructure. Both PAM and libblockdev/udisks should therefore be updated immediately on all systems.
The technical details of the vulnerabilities can be found on this page.
Advertising
