Skip to main content
A Singapore Government Agency Website How to identify
Official website links end with .gov.sg
Government agencies communicate via .gov.sg websites (e.g. go.gov.sg/open). Trusted websites
Secure websites use HTTPS
Look for a lock () or https:// as an added precaution. Share sensitive information only on official, secure websites.

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Call the 24/7 ScamShield Helpline at 1799 if you are unsure if something is a scam.

Cyber Security Agency of Singapore
Alerts

Multiple Vulnerabilities in Major Linux Distributions

20 June 2025

Security researchers have identified two new local privilege escalation (LPE) vulnerabilities (CVE-2025-6018 and CVE-2025-6019) that can be chained together to gain root privileges on systems running major Linux distributions.

Background

Security researchers have identified two new local privilege escalation (LPE) vulnerabilities (CVE-2025-6018 and CVE-2025-6019) that can be chained together to gain root privileges on systems running major Linux distributions.

Impact

CVE-2025-6018: Successful exploitation of the vulnerability could allow an unprivileged local attacker to elevate permissions to ‘allow_active’ and invoke actions that are normally reserved for users who are physically present. The vulnerability is present in the Pluggable Authentication Modules (PAM) configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15.

CVE-2025-6019: Successful exploitation of the vulnerability when chained with CVE-2025-6018 could allow an ‘allow_active’ user to leverage the Udisks daemon (used for storage management) and Llibblockdev (a library for low-level block-device operations) to obtain full root access. The vulnerability is present in  libblockdev and exploitable via the udisks daemon included by default on most Linux distributions.

Known Exploitation

While CVE-2025-6018 could allow a local unprivileged attacker connecting via SSH to elevate their status to "active_users", the attacker could exploit CVE-2025-6019 next to gain full root privileges. The Proof of Concept exploit is publicly available here: https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt.

Affected Products

The CVE-2025-6018 vulnerability affects the following products: 

  • openSUSE 

  • Leap 15SUSE 

  • Linux Enterprise 15

The CVE-2025-6019 vulnerability affects the following products:

  • libblockdev 

  • packageudisks daemon (Ubuntu, Debian, Fedora, openSUSE Leap 15+)

Mitigation

Users and administrators of the affected products are advised to peform the following mitigations:

  • Apply the latest security patches for openSUSE Leap 15, SUSE Linux Enterprise 15, and libblockdev/udisks packages on all affected distributions like Ubuntu, Debian, and Fedora.

  • On /usr/share/polkit-1/actions/org.freedesktop.UDisks2.policy modify the polkit rule for org.freedesktop.udisks2.modify-device. Change the allow_active from yes to auth_admin: auth_admin

  • Create or update rule files in /etc/polkit-1/rules.d/ to enforce administrator authentication for device modification.

  • Review and fix PAM configurations on SUSE-based systems to ensure SSH users are not granted “allow_active” status mistakenly.

  • Restrict SSH access to only trusted users and implement multi-factor authentication for additional security.

  • Monitor system and polkit logs for suspicious activity, especially involving privilege escalations or udisks interactions.

References
https://rewterz.com/threat-advisory/linux-bugs-let-attackers-gain-root-access

https://blog.qualys.com/vulnerabilities-threat-research/2025/06/17/qualys-tru-uncovers-chained-lpe-suse-15-pam-to-full-root-via-libblockdev-udisks

https://ubuntu.com/blog/udisks-libblockdev-lpe-vulnerability-fixes-available


Back to top