Two serious vulnerabilities have recently been discovered that attackers can use to escalate local privileges and gain root access on some of the most popular Linux distributions.
The first, identified as CVE-2025-6018, is related to how PAM (the system that manages authentication in Linux) is configured on openSUSE Leap 15 and SUSE Linux Enterprise 15. In short: if an attacker already has access to the system, they can exploit this flaw to impersonate a special user called allow_active, who has more permissions than they should.
The second vulnerability, CVE-2025-6019, affects libblockdev, a library used to manage disks. In this case, a user with allow_active permissions can take advantage of the udisks service (which is enabled by default in many distros) to escalate their privileges and become root.
Both are local vulnerabilities, meaning the attacker must already be on the system, but the risk is still high because they make it easy to take full control of the machine without complex techniques.
Although these two vulnerabilities are more dangerous when used together in a chained attack to escalate from local user to root, the flaw in libblockdev/udisks is serious enough on its own.
As explained by Qualys' Threat Research Unit (TRU):
"Although in theory you need 'allow_active' permissions to exploit it, the truth is that udisks comes pre-installed on almost every Linux distribution. So virtually any system could be at risk."
What’s even more concerning is that obtaining those allow_active permissions isn’t that hard either. One of the techniques, in fact, involves exploiting the other vulnerability (the one affecting PAM), which completely removes that “security barrier.”
"An attacker can chain these flaws and gain root access with very little effort"
The Qualys TRU team, which discovered and reported both bugs, even developed working proof-of-concept exploits. They successfully achieved root access on Ubuntu, Debian, Fedora, and openSUSE Leap 15 systems. So this isn’t just theoretical: they tested it, and it works.
Read more: Hackers Now Testing ClickFix Attacks Against Linux Targets
Do You Use Linux? It's Time to Patch Without Delay
If you manage Linux servers, now is the time to act. The Qualys security team has already published all the technical details of these two new vulnerabilities (along with the patches) in an Openwall post, and their message is clear: patch now.
"With root access, an attacker can do virtually anything: modify the system, stay hidden, and move laterally across the network. If you leave a server unpatched, you're putting your entire infrastructure at risk.”
The warning is stark: udisks is present on nearly all Linux systems, and the exploit is so simple that almost anyone could use it. That's why organizations should treat this threat as serious and urgent. No more “we’ll patch it next week”—this gap needs to be closed now.
This Isn't the First Time… and It Won’t Be the Last
Several critical flaws have previously been discovered in Linux that allow full system takeover—even on freshly installed systems with default configurations. Past vulnerabilities include:
-
PwnKit, a flaw in Polkit’s pkexec component.
-
Looney Tunables, in glibc’s dynamic loader ld.so.
-
Sequoia, a kernel filesystem vulnerability.
-
Baron Samedit, in the sudo tool.
And these aren’t just theoretical. For example, after Looney Tunables was disclosed, proof-of-concept exploits quickly surfaced online, and within a month, real-world attacks were using the flaw to steal cloud service credentials via Kinsing malware.
More recently, five privilege escalation bugs were found in needrestart, a utility that has shipped by default in Ubuntu since version 21.04—and those bugs had been active for over a decade.
The takeaway: if you're running Linux in production, don't wait for an attack to find you. Update PAM and libblockdev/udisks on all your systems now. It's better to be safe than to see your infrastructure compromised.