CyberSecurity news

FlagThis - #privilegeescalation

Veronika Telychko@SOC Prime Blog //

Critical Linux LPE Vulnerabilities CVE-2025-6018 and CVE-2025-6019

Two critical local privilege escalation (LPE) vulnerabilities, CVE-2025-6018 and CVE-2025-6019, have been publicly disclosed, impacting a wide range of Linux distributions. Cybersecurity researchers at Qualys discovered that these vulnerabilities, when chained together, could allow an unprivileged user to gain full root access on vulnerable systems. The flaws reside in the Pluggable Authentication Modules (PAM) configuration (CVE-2025-6018) and the libblockdev library (CVE-2025-6019), with the latter being exploitable through the udisks daemon, which is commonly deployed by default in many Linux distributions.

Researchers have released proof-of-concept (PoC) exploit code demonstrating the effectiveness of the vulnerability chain, raising concerns about potential exploitation in the wild. CVE-2025-6018 allows an unprivileged local user to elevate permissions to "allow_active" status, enabling them to invoke Polkit actions typically reserved for users with physical access to the machine. CVE-2025-6019 then permits an "allow_active" user to gain full root privileges, effectively bypassing security controls and allowing for broader post-compromise actions.

The teams responsible for the development of most popular Linux builds have already begun working on fixes for these vulnerabilities. Patches for Ubuntu are reportedly ready, and users of other distributions are advised to closely monitor for updates and promptly install them as they become available. As a temporary workaround, Qualys recommends modifying the Polkit rule for "org.freedesktop.udisks2.modify-device" to require administrator authentication ("auth_admin"). This highlights the critical importance of regular patching and vulnerability management in maintaining the security of Linux systems.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Blog: Field Effect details the vulnerabilities and the availability of proof-of-concept exploit code.
  • SOC Prime Blog: SocPrime's blog post discusses the CVE-2025-6018 and CVE-2025-6019 vulnerabilities and their potential impact.
  • Kaspersky official blog: Vulnerability CVE-2025-6019 allows an attacker to gain root privileges in most Linux distributions.
  • The Hacker News: New Linux Kernel Vulnerabilities Allow Full Root Access via PAM and Udisks Across Major Distributions
  • securityaffairs.com: This article explains the two LPE vulnerabilities impacting Linux systems.
Classification:
@blog.redteam-pentesting.de //

New Kerberos Relay Attack Bypasses NTLM Protections

A new Kerberos relay attack, identified as CVE-2025-33073, has been discovered that bypasses NTLM protections and allows attackers to escalate privileges to NT AUTHORITY\SYSTEM. This reflective Kerberos relay attack involves coercing a host to authenticate, intercepting the Kerberos ticket, and relaying it back to the same host, effectively exploiting misconfigurations and the lack of enforced SMB signing. RedTeam Pentesting discovered the vulnerability in January 2025 and disclosed it to Microsoft in an extensive whitepaper.

Microsoft addressed this vulnerability as part of the June 2025 Patch Tuesday. Technical analyses of CVE-2025-33073 have been published by RedTeam Pentesting and Synacktiv. The vulnerability is rooted in how the SMB client negotiates Kerberos authentication. When the SMB client has negotiated Kerberos instead of NTLM, a session key is inserted into a global list, KerbSKeyList, without proper checks, allowing attackers to reuse a subkey under specific conditions to forge a privileged token.

The attack begins with authentication coercion via SMB, tricking a victim machine into connecting to a malicious SMB server. The server forces the client into Kerberos authentication, generates a subkey, logs it into KerbSKeyList with privileged token data, and forges a valid AP-REQ ticket using the subkey. The SMB client accepts and validates the forged ticket, leading to the generation of a SYSTEM token and granting administrative privileges. A proof-of-concept exploit has been made available to demonstrate the vulnerability's potential.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • bsky.app: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
  • Catalin Cimpanu: RedTeam Pentesting and Synacktiv have published technical analyses of CVE-2025-33073, a new way to execute NTLM reflection attacks. This was fixed in this month's Patch Tuesday and also works against Kerberos.
  • securityonline.info: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
  • blog.redteam-pentesting.de: Reflective Kerberos Relay Attack
  • www.synacktiv.com: NTLM reflection is dead, long live NTLM reflection: An in-depth analysis of CVE-2025
  • Daily CyberSecurity: Windows SMB Flaw (CVE-2025-33073): SYSTEM Privilege Escalation via Kerberos, PoC Available
  • infosecwriteups.com: Reflective Kerberos Relay Attack (CVE-2025-33073): NT AUTHORITY\SYSTEM Privilege Escalation
Classification:
  • HashTags: #Kerberos #PrivilegeEscalation #NTLM
  • Company: Microsoft
  • Target: Windows hosts in Active Directory environments
  • Attacker: RedTeam Pentesting
  • Product: Windows
  • Feature: Kerberos Authentication
  • Malware: CVE-2025-33073
  • Type: Vulnerability
  • Severity: Major

Posts

Blogs

Research Tools