The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.
This libblockdev/udisks flaw is extremely significant. Although it nominally requires “allow_active” privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable. Techniques to gain “allow_active”, including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort. Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay.
The Qualys Threat Research Unit (TRU) has developed proof-of-concept exploits to validate these vulnerabilities on various operating systems, successfully targeting the libblockdev/udisks flaw on Ubuntu, Debian, Fedora, and openSUSE Leap 15.
The Qualys Threat Research Unit has uncovered a large-scale, ongoing operation within the Mirai campaign, dubbed Murdoc Botnet.
NotLockBit is a new and emerging ransomware family that actively mimics the behavior and tactics of the well-known LockBit ransomware.
The Qualys Threat Research Unit (TRU) has identified five Local Privilege Escalation (LPE) vulnerabilities within the needrestart component, which is installed by default on Ubuntu Server. These vulnerabilities can be exploited by any unprivileged user to gain full root access without requiring user interaction. The identified flaws have been assigned the CVE identifiers CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003, highlighting the need for immediate remediation to protect system integrity.
Our TRU team has successfully developed functional exploits for these vulnerabilities. While we will not disclose our exploits, please be aware that these vulnerabilities are easily exploitable, and other researchers may release working exploits shortly following this coordinated disclosure.
These vulnerabilities have been present since the introduction of interpreter support in needrestart version 0.8, released in April 2014.
The Qualys Threat Research Unit (TRU) has discovered a Remote Unauthenticated Code Execution (RCE) vulnerability in OpenSSH’s server (sshd) in glibc-based Linux…
The Qualys Threat Research Unit (TRU) has recently unearthed four significant vulnerabilities in the GNU C Library, a cornerstone for countless applications in the Linux environment.
Before diving into the specific details of the vulnerabilities discovered by the Qualys Threat Research Unit in the GNU C Library, it’s crucial to understand these findings’ broader impact and importance. The GNU C Library, or glibc, is an essential component of virtually every Linux-based system, serving as the core interface between applications and the Linux kernel. The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications.
The Qualys Threat Research Unit (TRU) has discovered a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES…
The Qualys Threat Research Unit (TRU) has discovered a remote code execution vulnerability in OpenSSH's forwarded ssh-agent. This vulnerability allows a remote…
We recently audited snap-confine (a SUID-root program that is installed
by default on Ubuntu) and discovered two vulnerabilities (two Local
Privilege Escalations, from any user to root): CVE-2021-44730 and
CVE-2021-44731.
The Qualys Research Team has discovered a memory corruption vulnerability in polkit's pkexec, a SUID-root program that is installed by default on every major…
