Attackers can now exploit two newly discovered local privilege escalation vulnerabilities to gain full root privileges on major Linux distributions. The first flaw, which is tracked as CVE-2025-6018, was found in the Pluggable Authentication Modules (PAM) framework on openSUSE systems. The other security bug, tracked as CVE-2025-6019, was discovered in the libblockdev library and it enables an “allow_active” user. While successfully abusing the two flaws as part of a chain exploit can quickly lead to a complete system takeover. The libblockdev and udisks flaw is also considered to be extremely dangerous on its own as a standalone security vulnerability.
The Qualys Threat Research Unit, which discovered and also responsibly reported both of the flaws, has developed proof-of-concept exploits. They successfully targeted CVE-2025-6019 to get root privileges on Ubuntu, Debian, Fedora, and also openSUSE Leap 15 systems. The vulnerability chain begins with CVE-2025-6018, which is a local privilege escalation flaw residing in the PAM configuration of SUSE systems. This particular misconfiguration allows unprivileged attackers connecting via SSH to elevate their current status to that of “allow_active” users. This initial but important foothold then becomes the primary launching point for the much more devastating second stage of the cyberattack.
Once an attacker achieves the “allow_active” status on a system, the second vulnerability provides a direct pathway to full root privileges.
The combination is particularly dangerous because the udisks daemon is pre-installed on mainstream distributions including Ubuntu, Debian, and Fedora. The PAM framework controls user authentication and determines which users qualify as “active” for privileged operations on the particular Linux system. In the affected SUSE systems, the PAM stack incorrectly treats remote SSH sessions as being equivalent to having local console access. An attacker with “allow_active” status can manipulate this specific interface to execute arbitrary code with root privileges on the system.
This completes the full privilege escalation chain.
Organizations must immediately implement comprehensive countermeasures to prevent the active exploitation of these newly discovered critical Linux security vulnerabilities. The primary mitigation involves modifying the polkit rules for the “org.freedesktop.udisks2.modify-device” action, changing the allow_active setting from “yes” to “auth_admin”. This specific configuration change can be implemented by creating or modifying the polkit rule files in the appropriate system directory. Security teams should also prioritize patching both the PAM configurations and the libblockdev/udisks components across their entire Linux infrastructure. Given that root access enables attackers to disable security agents, install persistent backdoors, and also move laterally through enterprise networks.
