- Best early Prime Day smartwatch and fitness tracker deals: My 10 favorite sales live now
- Our favorite rugged portable SSD is over 40% off at Amazon ahead of Prime Day
- My pick for the best Roku TV is 40% off at Best Buy
- Best early Prime Day tablet deals: My 15 favorite sales live now
- Best early Prime Day robot vacuum deals: My 20 favorite sales live now
Critical Linux Flaws Discovered Allowing Root Access Exploits
Two new vulnerabilities have been discovered in widely deployed Linux components that could allow unprivileged users to gain root access across popular distributions.
The first is a local privilege escalation (LPE) flaw tracked as CVE-2025-6018, which affects the PAM configuration in openSUSE Leap 15 and SUSE Linux Enterprise 15.
This misconfiguration allows any local login session, including those over SSH, to be treated as if the user were physically present. That status, known as “allow_active,” grants access to certain privileged operations typically reserved for users on the machine.
The second vulnerability, CVE-2025-6019, resides in libblockdev and can be triggered via the udisks daemon, which is installed by default on nearly all Linux distributions. Once a user obtains allow_active status, this flaw enables full root access.
Combined, these two flaws create a direct and low-effort path from unprivileged to root access.
Exploit Chain Impacts Multiple Distributions
The udisks daemon and its libblockdev backend are used for managing disks and storage devices. By design, they grant more privileges to users marked as “active.” The PAM flaw subverts this trust model, turning routine sessions into security liabilities.
The exploit chain is especially dangerous because no extra software or physical access is required, just a working SSH login to a vulnerable system.
The Qualys Threat Research Unit (TRU) has successfully demonstrated this exploit chain on Ubuntu, Debian, Fedora and openSUSE Leap 15. Its significance lies in how easily attackers can leap from a standard SSH session to full root privileges using only default-installed components.
“Nothing exotic is required,” TRU researchers said.
“Each link is pre-installed on mainstream Linux distros and their server builds.”
Key risks include:
-
Complete takeover of affected systems
-
Evasion of endpoint detection tools
-
Installation of persistent backdoors
-
Fleet-wide compromise via lateral movement
Read more on Linux vulnerabilities: New Linux Vulnerabilities Surge 967% in a Year
Mitigation and Recommendations
Security teams are urged to patch both vulnerabilities immediately.
In addition, they are advised to:
-
Modify the default polkit rule for org.freedesktop.udisks2.modify-device
-
Change the allow_active setting from yes to auth_admin
-
Follow vendor advisories for SUSE, Ubuntu and others
Failing to act quickly may leave entire fleets exposed to compromise. The root access granted through this exploit enables undetectable persistence and cross-system attacks, amplifying the risk to enterprise infrastructure.
