Cybersecurity firm Qualys has published technical details and proof-of-concept (PoC) code for two newly discovered Linux vulnerabilities—CVE-2025-6018 and CVE-2025-6019—that, when chained together, allow an unprivileged local attacker to escalate privileges and gain full root access on most Linux distributions.
Vulnerability Details
CVE-2025-6018: This flaw is found in the Pluggable Authentication Modules (PAM) configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Due to a misconfiguration, any local login—including remote SSH sessions—can be treated as if the user is physically present at the console. This grants the attacker the “allow_active” status, which is intended only for users at the physical machine.
CVE-2025-6019: This vulnerability affects the libblockdev library and is exploitable via the udisks daemon, which is included by default on nearly all Linux distributions. An attacker with “allow_active” status can leverage this flaw to escalate privileges to root.
Attack Chain
By chaining these vulnerabilities, an attacker who starts as an unprivileged user (e.g., via SSH) can first exploit CVE-2025-6018 to obtain “allow_active” status, then use CVE-2025-6019 to gain full root access. This chain does not require any special privileges or physical access, making exploitation straightforward and highly dangerous for both desktop and server systems.
Affected Distributions
While CVE-2025-6018 specifically affects SUSE 15-based systems, CVE-2025-6019 is present on most major Linux distributions (including Ubuntu, Debian, Fedora, and openSUSE), since udisks is widely deployed by default.
Impact
Successful exploitation enables attackers to disable security tools, implant backdoors, alter configurations, and potentially use the compromised system as a springboard for further attacks within an organization.
Proof-of-Concept
Qualys has published detailed technical documentation and PoC exploit code, confirming the vulnerabilities are practical and exploitable in real-world scenarios.
Mitigation and Recommendations
Linux distribution maintainers have received patches, and users are strongly urged to apply updates as soon as they become available. As an immediate mitigation, organizations should modify the polkit rule for org.freedesktop.udisks2.modify-device, changing the allow_active setting from yes to auth_admin to reduce risk.
“Given the ubiquity of Udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay.” — Qualys
