CVE-2025-11561
published 2025-10-09CVE-2025-11561: A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.77%
50.9th percentile
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | sssd | < sssd 2.12.0-1 (forky) | sssd 2.12.0-1 (forky) |
| fedoraproject | sssd | >= 0 < 2.12.0-1 | 2.12.0-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →The fallback to the an2ln Kerberos local authentication plugin is the exploitable condition — detect if 'an2ln' is NOT disabled in Kerberos configuration files (e.g., /var/lib/sss/pubconf/krb5.include.d/localauth_plugin) ↗
- →Monitor for modifications to Active Directory attributes 'userPrincipalName' or 'samAccountName' by non-privileged domain users, especially where the modified value maps to a privileged local account name on domain-joined Linux hosts ↗
- →Check Kerberos configuration files for absence of 'disable = an2ln' directive in localauth_plugin include files; its absence indicates a vulnerable/unmitigated configuration ↗
- ·The vulnerability is present in DEFAULT SSSD configurations on AD-joined Linux systems — no special setup required for exposure; sssd_krb5_localauth_plugin is enabled by default but the dangerous an2ln fallback is not suppressed ↗
- ·Mitigation requires explicitly adding 'disable = an2ln' in a krb5 include file at /var/lib/sss/pubconf/krb5.include.d/localauth_plugin and ensuring it is included in the Kerberos configuration ↗
- ·Red Hat Enterprise Linux 6 package (sssd) is out of support scope and will not receive a fix ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gj84-8vfx-q3vm: A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems
ghsa_unreviewed·2025-10-09
CVE-2025-11561 [HIGH] CWE-269 GHSA-gj84-8vfx-q3vm: A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, SSSD does not enable the Kerberos local authentication plugin (sssd_krb5_localauth_plugin), allowing an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users. This can result in unauthorized access or privilege escalation on domain-joined Linux hosts.
OSV
CVE-2025-11561: A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems
osv·2025-10-09·CVSS 8.8
CVE-2025-11561 [HIGH] CVE-2025-11561: A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
Red Hat
sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems
vendor_redhat·2025-10-09·CVSS 8.8
CVE-2025-11561 [HIGH] CWE-269 sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems
sssd: SSSD default Kerberos configuration allows privilege escalation on AD-joined Linux systems
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos loc
Debian
CVE-2025-11561: sssd - A flaw was found in the integration of Active Directory and the System Security ...
vendor_debian·2025·CVSS 8.8
CVE-2025-11561 [HIGH] CVE-2025-11561: sssd - A flaw was found in the integration of Active Directory and the System Security ...
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
Scope: local
bookworm: open
bullseye: open
forky: resolved (fixed in 2.12.0-1)
sid: resolved (fixed in 2.12.0-1)
trixie: open
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://access.redhat.com/errata/RHSA-2025:19610https://access.redhat.com/errata/RHSA-2025:19847https://access.redhat.com/errata/RHSA-2025:19848https://access.redhat.com/errata/RHSA-2025:19849https://access.redhat.com/errata/RHSA-2025:19850https://access.redhat.com/errata/RHSA-2025:19851https://access.redhat.com/errata/RHSA-2025:19852https://access.redhat.com/errata/RHSA-2025:19853https://access.redhat.com/errata/RHSA-2025:19854https://access.redhat.com/errata/RHSA-2025:19859https://access.redhat.com/errata/RHSA-2025:20954https://access.redhat.com/errata/RHSA-2025:21020https://access.redhat.com/errata/RHSA-2025:21067https://access.redhat.com/errata/RHSA-2025:21329https://access.redhat.com/errata/RHSA-2025:21795https://access.redhat.com/errata/RHSA-2025:22256https://access.redhat.com/errata/RHSA-2025:22265https://access.redhat.com/errata/RHSA-2025:22277https://access.redhat.com/errata/RHSA-2025:22529https://access.redhat.com/errata/RHSA-2025:22548https://access.redhat.com/errata/RHSA-2025:22724https://access.redhat.com/errata/RHSA-2025:23113https://access.redhat.com/errata/RHSA-2026:0316https://access.redhat.com/errata/RHSA-2026:0677https://access.redhat.com/security/cve/CVE-2025-11561https://blog.async.sg/kerberos-ldrhttps://bugzilla.redhat.com/show_bug.cgi?id=2402727https://github.com/SSSD/sssd/issues/8021
2025-10-09
Published