Two newly disclosed Linux vulnerabilities could let attackers chain their way to full root access, even from an ordinary SSH session, on default installs of multiple major distros, Qualys security researchers have warned.
Earlier this week, the Qualys Threat Research Unit (TRU) published details and proof-of-concept (PoC) code for CVE-2025-6018 and CVE-2025-6019, two local privilege escalation (LPE) flaws that can be exploited in tandem to achieve root access in seconds. Researchers successfully tested the exploit on SUSE, Debian, Ubuntu, and Fedora systems.
How the Exploit Works
CVE-2025-6018 is in PAM, the login management software on SUSE Linux. Because of a mistake in its setup, PAM can wrongly treat anyone who logs in over SSH as a trusted user with more permissions than they should have.
CVE-2025-6019 is in libblockdev, part of the udisks service, which helps Linux manage disks and storage. An attacker with enough permissions can trick udisks into mounting a fake file system that lets them run code as root (the highest level of access on Linux.
When attackers use the two bugs together, they can log in over SSH as a normal user and become root within seconds – no extra tricks or tools needed.
What Hackers Could Do
According to Qualys, this kind of attack grants a normal user account full control of the system and works on most Linux systems out of the box.
Once they have root, attackers can disable security tools, install malware, or change system settings so they survive a reboot. If they take over one server, they can often attack others on the same network, meaning one unpatched machine can put an entire company at risk.
How to Fix It
Qualys says everyone should patch these bugs right away.
As a temporary fix, admins can adjust a key setting in udisks:
- Change the policy for org.freedesktop.udisks2.modify-device so that it requires administrator approval, not just an “active” user, to modify or mount devices
Linux vendors have already released patches, and Red Hat has confirmed that this bug affects versions 7, 8, 9, and 10 of Red Hat Enterprise Linux.
Qualys will also update its vulnerability scanner so customers can quickly identify systems that still need patching.
Why it Matters
This isn’t one small bug.
If you leave even one server unpatched, attackers can use it to gain root and, from there, attack the entire network. Security teams should prioritize patching now, especially for servers that are exposed to the Internet.
Josh is a Content writer at Bora. He graduated with a degree in Journalism in 2021 and has a background in cybersecurity PR. He's written on a wide range of topics, from AI to Zero Trust, and is particularly interested in the impacts of cybersecurity on the wider economy.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.