CVE-2025-11561

HIGH
2025-10-09 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 19, 2026 - 18:30 vuln.today
CVE Published
Oct 09, 2025 - 14:15 nvd
HIGH 8.8

Tags

Authentication Bypass Privilege Escalation Linux Redhat Suse

Description

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

Analysis

A privilege escalation vulnerability exists in the integration between Active Directory and the System Security Services Daemon (SSSD) on Linux systems, where an attacker with permissions to modify AD attributes can impersonate privileged users by exploiting a fallback mechanism in the Kerberos authentication plugin. The vulnerability affects domain-joined Linux hosts running SSSD in default configurations and allows attackers to gain unauthorized access with high privileges. With a low EPSS score of 0.05% and no KEV listing, this appears to be a theoretical risk requiring existing AD permissions rather than an actively exploited vulnerability.

Technical Context

The vulnerability occurs in SSSD, a system daemon that provides access to remote identity and authentication providers on Linux systems, specifically in its Kerberos local authentication plugin (sssd_krb5_localauth_plugin) when integrated with Active Directory environments. When the primary authentication method fails, SSSD falls back to the an2ln (authorization name to local name) plugin, which can be manipulated if an attacker has permissions to modify Active Directory attributes like userPrincipalName or samAccountName. This represents a CWE-269 (Improper Privilege Management) vulnerability where the system fails to properly validate the mapping between AD principals and local Linux users during the fallback authentication process.

Affected Products

Systems running SSSD (System Security Services Daemon) on Linux in Active Directory integrated environments are affected, particularly Red Hat Enterprise Linux versions as indicated by the numerous Red Hat Security Advisories (RHSA-2025:19610 through RHSA-2025:21795). The vulnerability affects SSSD installations where the Kerberos local authentication plugin is enabled in default configurations with potential fallback to the an2ln plugin. Multiple Red Hat Enterprise Linux versions including RHEL 7, 8, and 9 variants are confirmed affected based on the advisory references.

Remediation

Apply the security updates provided in the Red Hat Security Advisories, with specific patches available for each affected RHEL version as documented in advisories RHSA-2025:19610 through RHSA-2025:21795 accessible via access.redhat.com. As an immediate mitigation, organizations should audit and restrict AD permissions to prevent unauthorized modification of userPrincipalName and samAccountName attributes, and consider disabling the an2ln plugin fallback mechanism in SSSD configuration if not required. System administrators should review SSSD authentication configurations and implement principle of least privilege for AD service accounts.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +44
POC: 0

Vendor Status

Share

CVE-2025-11561 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy