Jun 20, 2025 1 min read

Linux Distros are under attack, exploited to get root access

BugFix author profile image BugFix
Linux Distros are under attack, exploited to get root access
Photo by Gabriel Heinzer / Unsplash
Table of Contents

Qualys researchers have unearthed two local privilege escalation vulnerabilities (CVE-2025-6018, CVE-2025-6019) that can be exploited in tandem to achieve root access on most Linux distributions “with minimal effort.”

Under what conditions can CVE-2025-6019 be exploited?

The libblockdev library is used for low-level operations with block devices (e.g., hard disks) in Linux. The CVE-2025-6019 vulnerability is exploited by accessing the udisks2 daemon (used to manage storage devices), provided that the attackers manage to obtain the privileges of the active user present on the computer (allow_active).

Almost all modern popular Linux builds include udisks, and enthusiasts have already tested the exploitability of the CVE-2025-6019 vulnerability on Ubuntu, Debian, Fedora, and openSUSE. In theory, only the user physically using the computer can have allow_active privileges. However, in reality, an attacker may have the means to obtain allow_active remotely.

For example, the researchers who discovered CVE-2025-6019 initially demonstrated (POC) it in the exploitation chain, where allow_active privileges are obtained through another vulnerability — CVE-2025-6018 — which is contained in the configuration of pluggable authentication modules (PAMs). CVE-2025-6018 is present in at least openSUSE Leap 15 and SUSE Linux Enterprise 15, but may be relevant for other distributions as well.

How to fix this

Patches for Ubuntu are ready. Users of other distributions are advised to monitor for updates and install them promptly as they’re released.

Suppose the patch is not yet available for your Linux distribution, or you cannot install it for some reason. In that case, the Qualys experts who found the vulnerability recommend changing the setting allow_active of the polkit rule org.freedesktop.udisks2.modify-device from yes to auth_admin.

victim> cat /usr/share/polkit-1/actions/org.freedesktop.login1.policy
...
        <action id="org.freedesktop.login1.reboot">
                <description gettext-domain="systemd">Reboot the system</description>
...
                        <allow_any>auth_admin_keep</allow_any>
                        <allow_inactive>auth_admin_keep</allow_inactive>
                        <allow_active>yes</allow_active>
...

for reference purpose only

Linux Ubuntu Tools DevOps Debian Alert
You might also like
Debian 2 min read

htop : An interactive command line Linux Task Manager

htop is an interactive process viewer. It is a cross-platform tool used to monitor system processes in real-time. This article will delve into the utility of the htop command in Linux, helping you understand its syntax, options, and practical use-cases.…
BugFix
BugFix
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to BugFix.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.