Skip to main content

Canonical CVE-2025-4404

| EUVDEUVD-2025-18495 CRITICAL
Insufficient Granularity of Access Control (CWE-1220)
2025-06-17 secalert@redhat.com
Critical
Disputed · 9.1 Vendor: redhat
Share

Severity by source

Sources disagree (Medium–Critical)
Vendor (redhat) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Ubuntu
MEDIUM
qualitative
SUSE
CRITICAL
qualitative
Red Hat
9.1 HIGH
qualitative

vuln.today treats the vendor’s rating as authoritative. A higher third-party CVSS (e.g. CISA-ADP) is shown for transparency but does not drive the headline severity.

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 14, 2026 - 22:15 euvd
EUVD-2025-18495
Analysis Generated
Mar 14, 2026 - 22:15 vuln.today
CVE Published
Jun 17, 2025 - 14:15 nvd
CRITICAL 9.1

DescriptionCVE.org

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the krbCanonicalName for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

AnalysisAI

Critical privilege escalation vulnerability in FreeIPA that allows authenticated users with high privileges to create Kerberos services with the same canonical name (krbCanonicalName) as the realm administrator, enabling them to obtain administrative credentials. The vulnerability affects FreeIPA default configurations where uniqueness validation is not enforced, allowing attackers to retrieve Kerberos tickets with admin@REALM credentials and perform unrestricted administrative operations. With a CVSS 9.1 score and network-accessible attack vector, this represents a severe threat to FreeIPA-based identity infrastructures, particularly in environments where service creation permissions are delegated or insufficiently restricted.

Technical ContextAI

FreeIPA is an open-source identity management system built on LDAP, Kerberos, and DNS. The vulnerability stems from inadequate validation of the krbCanonicalName attribute, a critical identifier in Kerberos that uniquely identifies principals in the Key Distribution Center (KDC). CWE-1220 (Insufficient Granularity of Access Control) indicates the root cause: FreeIPA fails to enforce uniqueness constraints at the schema or application level, allowing duplicate canonical names across different service principals. The Kerberos protocol relies on canonical name uniqueness to ensure proper ticket issuance and validation; when an attacker creates a service with the admin's canonical name, the KDC may issue tickets bearing admin credentials to the attacker-controlled service. This is compounded by FreeIPA's default configuration not validating this constraint, making the issue present in standard deployments. The attack leverages the interaction between LDAP object creation (insufficient access control) and Kerberos ticket generation (canonical name collision).

RemediationAI

Immediate remediation steps: (1) Apply patches from FreeIPA upstream project addressing krbCanonicalName validation—patch versions should be released to enforce uniqueness constraints at the schema and application layer. (2) Contact Red Hat for RHEL Identity Management advisory patches (RHSA-* advisories). (3) Until patched, implement compensating controls: enforce LDAP schema constraints on krbCanonicalName uniqueness at the directory server level; restrict service creation permissions to trusted administrators only; audit existing services for duplicate canonical names and remove unauthorized entries. (4) Monitor FreeIPA upstream (freeipa.org) and Red Hat (access.redhat.com) for official patches. (5) Implement network segmentation restricting service creation requests to authorized administrative networks. (6) Enable Kerberos audit logging to detect unauthorized ticket requests for admin principals.

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2026-32731 CRITICAL
9.9 Mar 18

Path traversal in ApostropheCMS import-export module allows authenticated users with content modification permissions to

CVE-2026-40453 CRITICAL
9.9 Apr 27

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such a

CVE-2026-48753 CRITICAL POC
9.9 Jun 26

Arbitrary host file write in Incus before 7.1.0 lets a holder of S3 bucket credentials escape the storage volume via a p

CVE-2026-54350 CRITICAL
9.8 Jun 23

{$exists:true}`) that override the builder's intended filter, returning or altering every document in a MongoDB, CouchDB

CVE-2026-12411 CRITICAL
9.6 Jun 26

Cross-guest storage-volume hijacking in Canonical LXD 6.6 through 6.8 lets an untrusted guest instance mount, read, and

CVE-2026-44257 CRITICAL
9.3 May 12

efw4.X is an Enterprise Framework for Web. Prior to 4.08.010, efw.file.FileManager.unZip writes zip entries to disk usin

CVE-2026-41583 CRITICAL
9.3 May 08

Consensus failure in Zebra nodes before 4.3.1 allows remote attackers to trigger network partitioning by submitting V4 o

CVE-2026-34177 CRITICAL
9.1 Apr 09

Privilege escalation in Canonical LXD 4.12-6.7 allows authenticated remote attackers with VM instance editing rights to

CVE-2026-34179 CRITICAL
9.1 Apr 09

Privilege escalation in Canonical LXD 4.12 through 6.7 enables remote authenticated restricted TLS certificate users to

Vendor StatusVendor

Ubuntu

Priority: Medium
freeipa
Release Status Version
trusty needs-triage -
xenial needs-triage -
bionic needs-triage -
focal needs-triage -
jammy needs-triage -
noble needs-triage -
upstream needs-triage -
plucky ignored end of life, was needs-triage
oracular ignored end of life, was needs-triage
questing needs-triage -

Debian

Bug #1108050
freeipa
Release Status Fixed Version Urgency
bookworm vulnerable 4.9.11-1 -
trixie fixed 4.12.4-1 -
forky, sid fixed 4.13.1-1 -
(unstable) fixed 4.12.4-1 unimportant

SUSE

Severity: Critical
Product Status
SUSE Liberty Linux 8 Fixed
SUSE Liberty Linux 9 Fixed

Share

CVE-2025-4404 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy