The security community is warning about two newly discovered vulnerabilities that allow local attackers to escalate privileges to full root control on most modern Linux distributions. Exploiting these flaws—identified as CVE-2025-6018 and CVE-2025-6019—poses a severe threat to unpatched servers and workstations.
A “Local-to-Root” Attack Chain Within Reach of Most Attackers
The first vulnerability (CVE-2025-6018) affects the configuration of PAM (Pluggable Authentication Modules) in openSUSE Leap 15 and SUSE Linux Enterprise 15. A local attacker can obtain the privileges of the “allow_active” user, which is a crucial first step for the attack.
The second flaw (CVE-2025-6019) lies in the libblockdev library and allows an “allow_active” user to escalate privileges to root via the udisks storage management service, which runs by default on nearly all modern Linux distributions (Ubuntu, Debian, Fedora, openSUSE, and others).
The exploitation chain is straightforward: first, obtain “allow_active” privileges through the PAM flaw, then use the udisks/libblockdev vulnerability to gain full root access. The Qualys Threat Research Unit (TRU) has confirmed successful exploitation of CVE-2025-6019 on Ubuntu, Debian, Fedora, and openSUSE Leap 15, underlining the criticality of this threat.
A Universal Risk for Linux Servers
While full exploitation nominally requires “allow_active” permissions, in practice this barrier is low, as udisks is widely available and the PAM flaw provides a simple route to initial access. “Given the ubiquity of udisks and the simplicity of the exploit, any unpatched Linux system is at critical risk,” warns Saeed Abbasi, manager at Qualys TRU.
Gaining root access allows attackers to tamper with security agents, establish persistence, and move laterally within the network, endangering not only the affected server but the entire infrastructure.
Patching Is Mandatory: Instructions for Administrators
Qualys has published proof-of-concept code and technical details, along with links to security patches. All Linux administrators are strongly advised to:
- Immediately update both PAM and libblockdev/udisks on all machines, especially production environments.
- Audit privileges and monitor accounts with “allow_active” permissions.
- Strengthen network segmentation and privileged account management to minimize the impact if any systems cannot be patched immediately.
Context: A Long List of Critical Vulnerabilities in Linux
These two new vulnerabilities join a growing list of critical flaws in widely deployed Linux components. In recent years, Qualys and other researchers have reported vulnerabilities in Polkit (PwnKit), glibc (Looney Tunables), the kernel’s filesystem (Sequoia), and Sudo (Baron Samedit)—all capable of root escalation on unpatched systems.
The ease and speed with which such vulnerabilities can be chained together highlight the importance of automated patch management, as a single unpatched system can serve as an entry point to compromise an entire network.
Conclusion
Exploitation of vulnerabilities in PAM and udisks/libblockdev currently represents one of the most dangerous vectors for gaining root privileges on Linux. Given the criticality and universal reach, the cybersecurity community urges immediate patching and a review of access controls across all Linux environments.
Sources: bleepingcomputer, blog.segu-info, CVE-2025-6018, CVE-2025-6019 and Qualys
