Full Report
June has been a challenging month for cybersecurity teams, with a wave of high-impact vulnerabilities disrupting the threat landscape. After the disclosure of a newly patched XSS zero-day in Grafana (CVE-2025-4123), affecting over 46,500 active instances, two other critical flaws have surfaced that can be chained together, significantly increasing the potential for exploitation. Adversaries can […] The post CVE-2025-6018 and CVE-2025-6019 Vulnerability Exploitation: Chaining Local Privilege Escalation Flaws Lets Attackers Gain Root Access on Most Linux Distributions appeared first on SOC Prime.
Analysis Summary
# Vulnerability: Chained LPE Flaws Grant Root Access on Linux Systems
## CVE Details
- CVE ID: CVE-2025-6018 and CVE-2025-6019 (These two vulnerabilities are chained)
- CVSS Score: Not explicitly provided, but described as allowing attackers to gain **Root Access**, implying High/Critical severity.
- CWE: Not explicitly provided.
## Affected Systems
- Products: Various Linux Distributions, specifically mentioned: Ubuntu, Debian, Fedora, and openSUSE Leap 15.
- Versions: Specific versions are not listed, but the issue affects default package configurations, including SUSE 15 and Leap 15, where chaining allows local users to gain root.
- Configurations: Exploitation is possible using default PAM and `udisks` setups.
## Vulnerability Description
This vulnerability involves chaining two separate Local Privilege Escalation (LPE) flaws (CVE-2025-6018 and CVE-2025-6019) affecting core Linux components. When chained, these flaws allow an attacker with local SSH access (a standard user) to escalate privileges all the way to `root` access on vulnerable systems. The chaining specifically leveraged default PAM and `udisks` configurations.
## Exploitation
- Status: **PoC available**. Qualys has developed and validated Proof-of-Concept exploits across multiple distributions.
- Complexity: Described as allowing an **SSH user** to gain root, suggesting the complexity of the final step (post-chaining) is low if the initial access exists.
- Attack Vector: **Local** (Requires prior user access, such as via SSH).
## Impact
- Confidentiality: **High** (Root access allows full system compromise).
- Integrity: **High** (Root access allows complete modification of system state).
- Availability: **High** (Root access allows disabling security tools and system disruption).
## Remediation
### Patches
- Users must immediately apply patches released by their respective Linux vendors (Ubuntu, Debian, Fedora, openSUSE/SUSE). The specific patched versions are not detailed in the summary but vendor advisories should be consulted.
### Workarounds
- **Temporary Mitigation:** Adjust the Polkit rule for `_org.freedesktop.udisks2.modify-device_` to specifically require administrator authentication (`_auth_admin_`).
## Detection
- **Indicators of Compromise:** Post-exploitation indicators include disabled security tools or the presence of unauthorized persistence mechanisms established by a process running as root that originated from a standard user session.
- **Detection Methods and Tools:** Due to the reliance on default PAM and `udisks` setups, detection efforts should focus on monitoring privilege escalation attempts, unusual process creation following legitimate user logins, and modifications to audit or security configurations after initial access.
## References
- Vendor advisories (Must be checked for specific patching details).
- Relevant links - defanged:
- hxxps://blog.qualys.com/vulnerabilities-threat-research/2025/06/17/qualys-tru-uncovers-chained-lpe-suse-15-pam-to-full-root-via-libblockdev-udisks#mitigation-guideline-for-libblockdev-udisks-vulnerability