Skip to main content

Linux CVE-2025-11561

HIGH
Improper Privilege Management (CWE-269)
2025-10-09 secalert@redhat.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 18:30 vuln.today
CVE Published
Oct 09, 2025 - 14:15 nvd
HIGH 8.8

DescriptionCVE.org

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

AnalysisAI

A privilege escalation vulnerability exists in the integration between Active Directory and the System Security Services Daemon (SSSD) on Linux systems, where an attacker with permissions to modify AD attributes can impersonate privileged users by exploiting a fallback mechanism in the Kerberos authentication plugin. The vulnerability affects domain-joined Linux hosts running SSSD in default configurations and allows attackers to gain unauthorized access with high privileges. With a low EPSS score of 0.05% and no KEV listing, this appears to be a theoretical risk requiring existing AD permissions rather than an actively exploited vulnerability.

Technical ContextAI

The vulnerability occurs in SSSD, a system daemon that provides access to remote identity and authentication providers on Linux systems, specifically in its Kerberos local authentication plugin (sssd_krb5_localauth_plugin) when integrated with Active Directory environments. When the primary authentication method fails, SSSD falls back to the an2ln (authorization name to local name) plugin, which can be manipulated if an attacker has permissions to modify Active Directory attributes like userPrincipalName or samAccountName. This represents a CWE-269 (Improper Privilege Management) vulnerability where the system fails to properly validate the mapping between AD principals and local Linux users during the fallback authentication process.

Affected ProductsAI

Systems running SSSD (System Security Services Daemon) on Linux in Active Directory integrated environments are affected, particularly Red Hat Enterprise Linux versions as indicated by the numerous Red Hat Security Advisories (RHSA-2025:19610 through RHSA-2025:21795). The vulnerability affects SSSD installations where the Kerberos local authentication plugin is enabled in default configurations with potential fallback to the an2ln plugin. Multiple Red Hat Enterprise Linux versions including RHEL 7, 8, and 9 variants are confirmed affected based on the advisory references.

RemediationAI

Apply the security updates provided in the Red Hat Security Advisories, with specific patches available for each affected RHEL version as documented in advisories RHSA-2025:19610 through RHSA-2025:21795 accessible via access.redhat.com. As an immediate mitigation, organizations should audit and restrict AD permissions to prevent unauthorized modification of userPrincipalName and samAccountName attributes, and consider disabling the an2ln plugin fallback mechanism in SSSD configuration if not required. System administrators should review SSSD authentication configurations and implement principle of least privilege for AD service accounts.

Vendor StatusVendor

SUSE

Severity: High
Product Status
Container suse/manager/5.0/x86_64/server:5.0.6.7.36.2 Affected
Container suse/multi-linux-manager/5.1/x86_64/server:5.1.1.1.8.10.2 Image server-image Affected
Container suse/sl-micro/6.0/baremetal-os-container:2.1.3-4.23 Container suse/sl-micro/6.0/base-os-container:2.1.3-4.23 Container suse/sl-micro/6.0/kvm-os-container:2.1.3-4.24 Container suse/sl-micro/6.0/rt-os-container:2.1.3-5.23 Container suse/sl-micro/6.0/toolbox:13.2-9.1 Image SL-Micro Affected
Image SL-Micro-BYOS-EC2 Image SL-Micro-EC2 Image SUSE-Multi-Linux-Manager-Proxy-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-BYOS-EC2 Image SUSE-Multi-Linux-Manager-Server-EC2-llc Image SUSE-Multi-Linux-Manager-Server-EC2-ltd Affected
Image SLES-Azure-3P Image SLES-Azure-Basic Image SLES-Azure-Standard Image SLES-BYOS-Azure Image SLES-BYOS-EC2 Image SLES-BYOS-GCE Image SLES-CHOST-BYOS-Aliyun Image SLES-CHOST-BYOS-Azure Image SLES-CHOST-BYOS-EC2 Image SLES-CHOST-BYOS-GCE Image SLES-CHOST-BYOS-GDC Image SLES-CHOST-BYOS-SAP-CCloud Image SLES-EC2 Image SLES-GCE Image SLES-Hardened-BYOS-Azure Image SLES-Hardened-BYOS-EC2 Image SLES-Hardened-BYOS-GCE Image SLES-SAP-Azure Image SLES-SAP-Azure-3P Image SLES-SAP-BYOS-Azure Image SLES-SAP-BYOS-EC2 Image SLES-SAP-BYOS-GCE Image SLES-SAP-GCE Image SLES-SAPCAL-Azure Image SLES-SAPCAL-EC2 Image SLES-SAPCAL-GCE Affected

Share

CVE-2025-11561 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy