Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
A flaw was found in the temporary user record that authd uses in the pre-auth NSS. As a result, a user login for the first time will be considered to be part of the root group in the context of that SSH session.
AnalysisAI
Privilege escalation flaw in authd's temporary user record handling during pre-authentication NSS operations that causes first-time SSH login users to be incorrectly assigned root group membership within their session context. This allows authenticated users (PR:L) to gain elevated group privileges over the network (AV:N) with low complexity, affecting system confidentiality (C:H) and integrity (I:L). The vulnerability has a high CVSS score of 8.5, though real-world exploitation requires valid login credentials and depends on authentication infrastructure specifics.
Technical ContextAI
The vulnerability exists in authd (authentication daemon) and its interaction with NSS (Name Service Switch) during the pre-authentication phase. Specifically, when authd creates a temporary user record for first-time SSH authentication, it incorrectly initializes group memberships to include the root group (GID 0). This is a CWE-269 (Improper Access Control / Unintended Access) issue where the access control logic fails to properly restrict group membership assignment. The flaw manifests in the NSS layer responsible for user and group lookups during SSH authentication, meaning the vulnerability affects any system using authd with SSH that relies on dynamic user provisioning or first-time user authentication scenarios. The root cause appears to be insufficient validation or initialization of group context in the temporary user record structure before it is made available to the authentication context.
RemediationAI
Immediate remediation steps: (1) Patch authd to the latest patched version from your distribution vendor (check RedHat Security Advisories, Debian Security Tracker, or your vendor's bulletin for CVE-2025-5689). (2) Until patching, implement workarounds by restricting SSH access to known users only (disable password authentication if possible, use key-based auth with restricted authorized_keys). (3) Review and restrict sudo/group membership policies to minimize blast radius if a first-time user gains elevated group access. (4) Monitor authd logs and SSH authentication logs for first-time user logins and unexpected group assignments. (5) Consider disabling first-time user auto-provisioning features if feasible. (6) Apply the patch through standard distribution update channels (yum update authd, apt-get update && apt-get upgrade authd, or equivalent). Verify patch application by checking authd version post-update and testing first-time user authentication in a controlled environment.
GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of
freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demons
GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, whi
OpenSSH server (sshd) 9.1 introduced a double-free vulnerability during options.kex_algorithms handling. Rated medium se
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processin
The auth_password function in auth-passwd.c in sshd in OpenSSH before 7.3 does not limit password lengths for password a
Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to
The SSH USERAUTH CHANGE REQUEST feature in SSH Tectia Server 6.0.4 through 6.0.20, 6.1.0 through 6.1.12, 6.2.0 through 6
The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allVendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 16.0 | Fixed |
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18385
GHSA-g8qw-mgjx-rwjr