Cybersecurity researchers have unveiled two severe local privilege escalation (LPE) vulnerabilities in widely used Linux components, Pluggable Authentication Modules (PAM) and Udisks, which can be chained to grant an unprivileged attacker full root access on major Linux distributions.
These flaws, identified as CVE-2025-6018 (PAM) and CVE-2025-6019 (Udisks/libblockdev), pose a significant threat to countless Linux systems globally.
Discovered by the Qualys Threat Research Unit (TRU), the exploit chain demonstrates a rapid path from an ordinary logged-in user, even via an SSH session, to a complete system takeover.
The first vulnerability, CVE-2025-6018, primarily affects the PAM configuration in openSUSE Leap 15 and SUSE Linux Enterprise 15. This misconfiguration allows an unprivileged local attacker to elevate their privileges to “allow_active,” a status typically reserved for physically present users, thereby enabling them to invoke privileged Polkit actions.
The second and equally critical vulnerability, CVE-2025-6019, resides in libblockdev and is exploitable via the udisks daemon. The udisks daemon, which is installed by default on almost all Linux distributions, is responsible for managing disks and storage devices.
This flaw permits an “allow_active” user to gain full root privileges by manipulating mount options when resizing certain file systems.
The danger of these vulnerabilities lies in their chaining. While CVE-2025-6019 nominally requires “allow_active” privileges, the PAM flaw (CVE-2025-6018) provides exactly that, effectively creating a direct, low-effort path to root access.
Qualys TRU has successfully demonstrated proof-of-concept exploits on various operating systems, including Ubuntu, Debian, Fedora, and openSUSE Leap 15, highlighting the broad impact of these issues.
Upon obtaining root privileges, attackers gain carte blanche access to the compromised system, allowing for extensive post-compromise actions such as altering security controls, implanting backdoors for persistent access, and initiating broader fleet-wide compromises through lateral movement.
Linux distribution vendors are urged to release and users are strongly advised to apply patches immediately. As temporary mitigation, administrators can modify the Polkit rule for “org.freedesktop.udisks2.modify-device” to require administrator authentication (“auth_admin”) instead of simply “allow_active” status. This chained exploit underscores the continuous need for vigilant patch management and robust security practices in Linux environments.
