cbcvebase.
CVE-2025-11561
published 2025-10-09

CVE-2025-11561: A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.77%
50.9th percentile
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

Affected

2 ranges
VendorProductVersion rangeFixed in
debiansssd< sssd 2.12.0-1 (forky)sssd 2.12.0-1 (forky)
fedoraprojectsssd>= 0 < 2.12.0-12.12.0-1

Detection & IOCsextracted from sources · hover to see the quote

  • The fallback to the an2ln Kerberos local authentication plugin is the exploitable condition — detect if 'an2ln' is NOT disabled in Kerberos configuration files (e.g., /var/lib/sss/pubconf/krb5.include.d/localauth_plugin)
  • Monitor for modifications to Active Directory attributes 'userPrincipalName' or 'samAccountName' by non-privileged domain users, especially where the modified value maps to a privileged local account name on domain-joined Linux hosts
  • Check Kerberos configuration files for absence of 'disable = an2ln' directive in localauth_plugin include files; its absence indicates a vulnerable/unmitigated configuration
  • ·The vulnerability is present in DEFAULT SSSD configurations on AD-joined Linux systems — no special setup required for exposure; sssd_krb5_localauth_plugin is enabled by default but the dangerous an2ln fallback is not suppressed
  • ·Mitigation requires explicitly adding 'disable = an2ln' in a krb5 include file at /var/lib/sss/pubconf/krb5.include.d/localauth_plugin and ensuring it is included in the Kerberos configuration
  • ·Red Hat Enterprise Linux 6 package (sssd) is out of support scope and will not receive a fix

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.