BURSTTwo critical, interconnected flaws, CVE-2025-6018 and CVE-2025-6019, enable unprivileged attackers to achieve root access on major Linux distributions.
Affecting millions worldwide, these vulnerabilities pose a severe security emergency that demands immediate patching.
The first vulnerability exploits PAM configuration weaknesses in SUSE systems, while the second leverages the ubiquitous udisks daemon to escalate privileges to root level, creating a perfect storm for system compromise.
Linux Privilege Escalation Vulnerability Chain
The vulnerability chain uncovered by Qualys Threat Research Unit begins with CVE-2025-6018, a local privilege escalation flaw residing in the Pluggable Authentication Modules (PAM) configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15.
This misconfiguration allows unprivileged attackers connecting via SSH to elevate their status to “allow_active” users, a designation typically reserved for physically present users at the console.
This initial foothold becomes the launching point for the more devastating second attack.
CVE-2025-6019 targets libblockdev, a critical library accessible through the udisks daemon that ships by default on virtually all Linux distributions.
Once an attacker achieves “allow_active” status, this vulnerability provides a direct pathway to full root privileges.
The combination is particularly dangerous because udisks is pre-installed on mainstream distributions including Ubuntu, Debian, Fedora, and openSUSE, making the attack surface nearly universal.
Qualys researchers have successfully demonstrated proof-of-concept exploits across these platforms, confirming the widespread nature of the threat.
The attack leverages fundamental Linux system components that handle authentication and device management.
The PAM framework controls user authentication and session establishment, determining which users qualify as “active” for privileged operations.
In affected SUSE systems, the PAM stack incorrectly treats remote SSH sessions as equivalent to local console access, granting polkit permissions that should remain restricted to physically present users.
The second stage exploits the udisks2 service, which provides a D-Bus interface for storage management operations including mounting, querying, and formatting block devices, reads the report.
The service communicates with libblockdev to perform low-level device operations. The vulnerability specifically targets the “org.freedesktop.udisks2.modify-device” polkit action, which by default allows any active user to modify devices.
An attacker with “allow_active” status can manipulate this interface to execute arbitrary code with root privileges, completing the privilege escalation chain.
| CVEs | Affected Products | Impact | Exploit Prerequisites | CVSS 3.1 Score |
| CVE-2025-6018 | openSUSE Leap 15SUSE Linux Enterprise 15 | Elevation to “allow_active” user | Local access (e.g., SSH) to vulnerable PAM configuration | 8.8 (High) |
| CVE-2025-6019 | libblockdev packageudisks daemon (Ubuntu, Debian, Fedora, openSUSE Leap 15+) | Full root privileges | “allow_active” context (e.g., via CVE-2025-6018 or physical console access) | 7.8 (High) |
Urgent Mitigation Required
Organizations must implement immediate countermeasures to prevent exploitation of these vulnerabilities.
The primary mitigation involves modifying polkit rules for the “org.freedesktop.udisks2.modify-device” action, changing the allow_active setting from “yes” to “auth_admin” to require administrator authentication.
This configuration change can be implemented by creating or modifying polkit rule files in /etc/polkit-1/rules.d/.
Security teams should prioritize patching both PAM configurations and libblockdev/udisks components across their entire Linux infrastructure.
The vulnerability chain’s reliance on default system packages means that virtually any Linux server or workstation could be vulnerable.
Given that root access enables attackers to disable security agents, install persistent backdoors, and move laterally through networks, a single compromised system can jeopardize the entire organizational infrastructure.
Patches should be deployed without delay, as the simplicity of exploitation makes these vulnerabilities an immediate and universal risk to Linux environments worldwide.
Power up early threat detection, escalation, and mitigation with ANY.RUN’s Threat Intelligence Lookup. Get 50 trial searches.
The post Critical Linux Privilege Escalation Vulnerabilities Let Attackers Gain Full Root Access appeared first on Cyber Security News.