Security researchers have uncovered a critical privilege escalation chain in major Linux distributions that allows any local user with a session (SSH or GUI) to gain full root access in seconds.
The exploit chain consists of two vulnerabilities:
- CVE-2025-6018: A misconfiguration in the PAM (Pluggable Authentication Modules) system on SUSE Linux 15 lets unprivileged users escalate to a special trust level called allow_active.
- CVE-2025-6019: Leveraging this trust level, an attacker can abuse the udisks daemon (enabled by default on most Linux systems) to execute root-level operations via the libblockdev library.
What Makes This Dangerous?
Unlike older privilege escalation bugs that required physical access or exploit chains with significant friction, this one works entirely within the bounds of legitimate services like PAM and udisks, often using default configurations.
In simple terms: if an attacker has any valid session on your system, they can elevate to root with minimal effort.
Researchers have successfully demonstrated working exploits on distributions like Ubuntu, Debian, Fedora, and openSUSE Leap 15.
Impact Analysis
- Exploit Chain Simplicity: Both primitives exist on default installs. Attack complexity is low.
- Wide attack surface: udisks-enabled on nearly all Linux OSes; PAM misconfig is common in SUSE 15.
- Post-compromise power: Root access → disable defenses, implant backdoors, persist across reboots, lateral movement.
How to Protect Your Systems
Patches are now available from major Linux vendors. If you’re running SUSE Linux 15, updating your PAM configuration is critical.
For other distributions, updating the udisks and libblockdev packages will address CVE-2025-6019.
In the meantime, you can reduce exposure by editing the Polkit rule for device modifications. Change the setting for org.freedesktop.udisks2.modify-device from:
<allow_active>yes</allow_active>
to:
<allow_active>auth_admin</allow_active>
This ensures that administrative authentication is required, even for users marked as “active.”
Need help assessing your exposure or applying mitigations?
OP Innovate’s security experts can help you identify vulnerable assets, prioritize patching, and harden your Linux environments. Contact us today for a complimentary consultation.
