New Linux PAM and Udisks Vulnerabilities (CVE-2025-6018 & CVE-2025-6019) Allow Full Root Access Across Major Distributions

Introduction

In June 2025, cybersecurity researchers at Qualys revealed two critical privilege escalation vulnerabilities in Linux systems. These flaws can allow a regular, logged-in user to gain full root access across multiple major Linux distributions such as Ubuntu, Debian, Fedora, and openSUSE. The vulnerabilities are tracked as:

• CVE-2025-6018 – A flaw in PAM (Pluggable Authentication Modules)

• CVE-2025-6019 – A vulnerability in libblockdev exploited via the udisks daemon

  
  

This blog breaks down the technical aspects, potential risks, and how to protect your systems from these threats.

What Are These New Linux Vulnerabilities?

1. CVE-2025-6018 – Elevation via PAM in SUSE Linux

This vulnerability exists in the PAM configuration of SUSE Linux Enterprise 15 and openSUSE Leap 15. It allows a normal local user to escalate privileges to an “allow_active” user — a role that can invoke system-level actions normally reserved for physically present users.

2. CVE-2025-6019 – Root Access via Udisks (libblockdev)

After gaining “allow_active” access through the first vulnerability, attackers can exploit CVE-2025-6019 via the udisks daemon, which is present by default on most Linux systems. This chain allows them to escalate privileges to full root access.

Why Are These Flaws So Dangerous?

These two vulnerabilities can be chained together to achieve local-to-root escalation in seconds. A malicious user with any active GUI or SSH session can exploit them to:

• Bypass authentication restrictions (Polkit)

  
  

• Execute root-level commands

• Plant backdoors or disable system defenses

According to Qualys, this chain collapses the security gap between a basic user and full system control.

Other Related Vulnerability: CVE-2025-6020

In addition to the above, Qualys also disclosed another vulnerability:

• CVE-2025-6020 – Found in pam_namespace, this path traversal flaw can be exploited via symlink attacks and race conditions, leading to root access on vulnerable systems.

It affects all systems using pam_namespace <= 1.7.0, particularly where user-controlled paths are involved in polyinstantiated directories.

Affected Linux Distributions

The vulnerabilities impact many popular distributions, including:

• Ubuntu

• Debian

• Fedora

• openSUSE Leap 15

• SUSE Linux Enterprise 15

How Does the Attack Work?

Simplified Exploitation Chain:

1. Initial Access: An attacker gains access to a system (GUI or SSH session).

2. Privilege Escalation #1: CVE-2025-6018 lets them become an allow_active user.

3. Privilege Escalation #2: CVE-2025-6019 lets the allow_active user use udisks to gain root access.

4. System Compromise: Once root, the attacker can control the system completely.

How Can You Protect Your System?

✅ Apply Patches Immediately

Vendors like SUSE, Ubuntu, and Debian are releasing patches. Keep your systems updated using your distribution’s package manager.

Example for Debian-based systems:

sudo apt update && sudo apt upgrade

 Temporary Mitigations

If patches aren’t available yet:

• Modify Polkit Rules: Require admin authentication for the udisks action.

org.freedesktop.udisks2.modify-device: auth_admin

• Disable pam_namespace or ensure it doesn't operate on user-controlled paths.

Impact on Linux Security

These flaws highlight how chained vulnerabilities can quickly elevate a simple local user to root — even on hardened systems. They also show the risks of misconfigured default services like udisks and the complexity of PAM.

Security researchers warn that similar “legitimate tool abuse” attacks could be used in future advanced persistent threats (APTs).

Key Takeaways

Conclusion

These 2025 Linux vulnerabilities are a strong reminder that local security is just as critical as remote hardening. PAM misconfigurations and background daemons like udisks can be silently weaponized to compromise even seemingly secure systems.

System administrators and Linux users should take immediate steps to patch their systems, review PAM and Polkit configurations, and stay up to date with future security advisories.

FAQ

What is CVE-2025-6018?

CVE-2025-6018 is a local privilege escalation vulnerability found in the PAM configuration of SUSE Linux systems. It allows a normal user to gain elevated permissions (allow_active), which can then be used to perform privileged actions via Polkit.

What is CVE-2025-6019?

CVE-2025-6019 is a vulnerability in the libblockdev component of Linux, exploitable via the Udisks daemon. It enables an attacker with allow_active privileges to escalate further to full root access.

Which Linux distributions are affected?

Distributions affected include openSUSE Leap 15, SUSE Linux Enterprise 15, Ubuntu, Debian, and Fedora.

What does “allow_active” mean?

allow_active is a Polkit privilege used to determine if a user is active, such as using the system physically or over GUI/SSH. It's a trust level that permits certain system actions.

How do these vulnerabilities work together?

CVE-2025-6018 gives a user allow_active status, and CVE-2025-6019 uses that status to escalate to root. Together, they provide a path to root access from a normal user.

Can these vulnerabilities be exploited remotely?

No. These are local privilege escalation vulnerabilities, which means the attacker must already have access to the machine as a regular user.

What is PAM in Linux?

PAM (Pluggable Authentication Module) is a framework for managing user authentication in Linux.

What is Udisks?

Udisks is a system service that allows users to manage disks and storage devices on Linux systems.

Why is this vulnerability dangerous?

Because it enables any logged-in user, whether via GUI or SSH, to become root in seconds, bypassing typical security measures.

Has any real attack been reported using these flaws?

As of now, no real-world exploit has been reported, but researchers have developed proof-of-concept code.

How can I check if my system is vulnerable?

Check your Linux version and patch level. If you’re running affected versions without the latest security updates, your system may be vulnerable.

What is Polkit?

Polkit is a toolkit used for managing system-wide privileges in Linux. It helps determine whether users can perform specific actions.

What are the temporary mitigation steps?

One workaround is to change the Polkit rule for org.freedesktop.udisks2.modify-device to require administrator authentication (auth_admin).

What is the permanent fix for these vulnerabilities?

Apply the official patches released by your Linux distribution’s vendor.

What is Qualys’ role in this discovery?

Qualys Threat Research Unit discovered and responsibly disclosed the vulnerabilities.

Are cloud environments affected?

Yes, if they use affected Linux distributions and allow SSH or GUI access.

Is PAM used only in SUSE?

No. PAM is used across most Linux distributions including Debian, Ubuntu, Fedora, and CentOS.

Can SELinux prevent this attack?

SELinux may reduce some risks but is not a complete solution. Patching is still necessary.

What is libblockdev?

libblockdev is a library used for managing disk-related operations like mounting, formatting, and partitioning.

Are containers affected?

Containers themselves may be less affected, but vulnerable host systems can impact container security.

What are PreBuild vulnerabilities?

These refer to vulnerabilities during software build processes. They are not directly related to these PAM and Udisks flaws.

What is a privilege escalation attack?

It's when an attacker gains higher access privileges than they’re supposed to have, such as moving from user to root.

What is the CVSS score of these vulnerabilities?

Exact scores may vary, but both are considered high severity due to the potential for full system compromise.

Are these issues related to PAM namespace?

CVE-2025-6020 is a separate vulnerability in pam_namespace that allows privilege escalation through symlink attacks and race conditions.

What is “secret leakage” in this context?

It refers to exposure of sensitive credentials or secrets, especially from misconfigured authentication systems.

How often should I check for Linux security patches?

Ideally, you should check weekly or set up automatic security updates.

What’s the best way to secure a Linux system?

Regular patching, auditing PAM and Polkit settings, disabling unused services, and using least privilege principles.

Can enterprise EDR tools detect this attack?

Yes, modern EDR solutions may detect suspicious privilege escalation activities involving Polkit or Udisks.

Does 2FA help against local privilege escalation?

2FA protects logins but does not prevent local privilege escalation after access is gained.

Should I audit PAM and Polkit settings regularly?

Yes. Regular auditing helps prevent misconfigurations and detect excessive privileges.