CVE-2025-6018
published 2025-07-23CVE-2025-6018: A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an…
PriorityP351high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.96%
57.0th percentile
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | pam | — | — |
| suse | pam-config | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_debian7.8LOW
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
pam-config: LPE from unprivileged to allow_active in PAM
vendor_redhat·2025-06-17·CVSS 7.8
CVE-2025-6018 [HIGH] CWE-863 pam-config: LPE from unprivileged to allow_active in PAM
pam-config: LPE from unprivileged to allow_active in PAM
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations.
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivilege
Debian
CVE-2025-6018: pam - A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-conf...
vendor_debian·2025·CVSS 7.8
CVE-2025-6018 [HIGH] CVE-2025-6018: pam - A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-conf...
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations.
Scope: local
bookworm: resolved
bullseye: resolved
forky: resolved
sid: resolved
trixie: resolved
GHSA
GHSA-cg9q-xmf9-7r6w: A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM)
ghsa_unreviewed·2025-07-23
CVE-2025-6018 [HIGH] CWE-863 GHSA-cg9q-xmf9-7r6w: A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM)
A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations.
No detection rules found.
Qualys
Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev/udisks | Qualys
blogs_qualys·2025-06-17·CVSS 7.8
CVE-2025-6018 [HIGH] Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev/udisks | Qualys
#### Table of Contents
- Understanding PAM and udisks/libblockdev
- Potential Impact
- Mitigation Guideline for libblockdev/udisks Vulnerability
- Technical Details
- Qualys QID Coverage
- Conclusion
The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privi
Qualys
Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev/udisks
blogs_qualys·2025-06-17·CVSS 7.8
CVE-2025-6018 [HIGH] Qualys TRU Uncovers Chained LPE: SUSE 15 PAM to Full Root via libblockdev/udisks
## Table of Contents
Understanding PAM and udisks/libblockdev
Potential Impact
Mitigation Guideline for libblockdev/udisks Vulnerability
Technical Details
Qualys QID Coverage
Conclusion
The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Al
Bugzilla
CVE-2025-6018 pam-config: LPE from unprivileged to allow_active in PAM
bugzilla·2025-06-13·CVSS 7.8
CVE-2025-6018 [HIGH] CVE-2025-6018 pam-config: LPE from unprivileged to allow_active in PAM
CVE-2025-6018 pam-config: LPE from unprivileged to allow_active in PAM
an LPE vulnerability (a Local Privilege Escalation) in the PAM configuration: an unprivileged local attacker (e.g., an attacker who logs in via sshd) can obtain the privileges of a physical "allow_active" user (i.e., a user who is physically sitting in front of the computer) and can therefore perform all the "allow_active yes" polkit actions that are normally reserved for physical users.
https://access.redhat.com/security/cve/CVE-2025-6018https://bugzilla.redhat.com/show_bug.cgi?id=2372693https://bugzilla.suse.com/show_bug.cgi?id=1243226https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txthttp://www.openwall.com/lists/oss-security/2025/08/28/4https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
2025-07-23
Published