Critical Privilege Escalation Vulnerabilities Grant Full Root Access on Linux

A critical security vulnerabilities that can be chained together to allow unprivileged attackers to gain complete root access on Linux systems.

The vulnerabilities , designated CVE-2025-6018 and CVE-2025-6019, affect SUSE Linux Enterprise 15, openSUSE Leap 15, and virtually all major Linux distributions through the ubiquitous udisks service.

The attack chain begins with CVE-2025-6018, a misconfiguration in the Pluggable Authentication Modules (PAM) framework on SUSE and openSUSE Leap 15 systems.

This vulnerability allows unprivileged users connecting via SSH to be incorrectly treated as “allow_active” users, a privilege level typically reserved for those physically present at the system console.

This misclassification grants access to polkit operations that should be restricted to local users.

The second vulnerability, CVE-2025-6019, resides in libblockdev, a library used by the udisks daemon for low-level block device operations.

While this vulnerability normally requires “allow_active” privileges to exploit, when combined with the PAM misconfiguration, it enables a complete privilege escalation path.

An attacker can leverage the udisks service’s D-Bus interface to perform storage management operations that ultimately result in gaining full root privileges.

Qualys researchers have successfully demonstrated proof-of-concept exploits across multiple Linux distributions, including Ubuntu, Debian, Fedora, and openSUSE Leap 15, highlighting the broad applicability of these vulnerabilities.

Critical Privilege Escalation Vulnerabilities

The severity of these vulnerabilities cannot be overstated, particularly due to the widespread deployment of udisks across Linux distributions.

Since udisks ships by default on nearly all Linux systems, the potential attack surface is enormous.

The simplicity of the exploit chain makes it especially dangerous – attackers need only gain access to any user account via SSH to potentially compromise the entire system.

Once root access is obtained, attackers can disable endpoint detection and response (EDR) agents, install kernel-level backdoors for persistent access, and modify system configurations that survive reboots.

Compromised systems can then serve as launching points for lateral movement within networks, potentially leading to fleet-wide compromises from a single initial breach.

The attack leverages only standard, pre-installed components available on mainstream Linux distributions and their server variants, making detection particularly challenging.

Organizations running affected systems face an immediate and critical security risk that requires urgent attention.

Mitigations

Qualys has indicated that patches are accessible through standard security advisory channels.

Security teams should prioritize patching these vulnerabilities immediately. For CVE-2025-6019, administrators can implement an interim mitigation by modifying the polkit policy for the “org.freedesktop.udisks2.modify-device” action.

The allow_active setting should be changed from “yes” to “auth_admin,” requiring administrator authentication for device modification operations.

However, this configuration change should be considered a temporary measure. Organizations must apply official patches from their Linux distribution vendors as soon as they become available.

Given the universal nature of the udisks vulnerability and the ease of exploitation, security teams should treat this as a critical, enterprise-wide risk requiring immediate deployment of available patches across all Linux systems in their environment.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.