The Qualys Threat Research Unit (TRU) has discovered two linked local privilege escalation (LPE) flaws.
The first (CVE-2025-6018) resides in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. Using this vulnerability, an unprivileged local attacker—for example, via SSH—can elevate to the “allow_active” user and invoke polkit actions normally reserved for a physically present user.
The second (CVE-2025-6019) affects libblockdev, is exploitable via the udisks daemon included by default on most Linux distributions, and allows an “allow_active” user to gain full root privileges. Although CVE-2025-6019 on its own requires existing allow_active context, chaining it with CVE-2025-6018 enables a purely unprivileged attacker to achieve full root access.
This libblockdev/udisks flaw is extremely significant. Although it nominally requires “allow_active” privileges, udisks ships by default on almost all Linux distributions, so nearly any system is vulnerable. Techniques to gain “allow_active”, including the PAM issue disclosed here, further negate that barrier. An attacker can chain these vulnerabilities for immediate root compromise with minimal effort. Given the ubiquity of udisks and the simplicity of the exploit, organizations must treat this as a critical, universal risk and deploy patches without delay.
The Qualys Threat Research Unit (TRU) has developed proof-of-concept exploits to validate these vulnerabilities on various operating systems, successfully targeting the libblockdev/udisks flaw on Ubuntu, Debian, Fedora, and openSUSE Leap 15.
Understanding PAM and udisks/libblockdev
PAM Configuration in openSUSE/SLE 15: The Pluggable Authentication Modules (PAM) framework controls how users authenticate and start sessions on Linux. In openSUSE/SLE 15, the PAM stack is configured to determine which users count as “active” (i.e., physically present) for privileged actions. A misconfiguration here can treat any local login—including remote SSH sessions—as if the user were at the console. This “allow_active” context typically grants access to certain polkit operations reserved for someone at the machine; if misapplied, it lets an unprivileged user perform actions they should not.
udisks Daemon and libblockdev: The udisks service runs by default on most Linux systems, offering a D-Bus interface for storage management (mounting, querying, formatting, etc.). Under the hood, udisks calls into libblockdev, a library handling low-level block-device operations. A flaw in libblockdev—reachable via udisks—allows any user already in the “allow_active” context to escalate directly to root. Since udisks is ubiquitous, understanding its role and how it uses libblockdev is key; it’s the component that bridges a session’s privileges to device-management routines, and a vulnerability here can give full system control.
Potential Impact
These modern “local-to-root” exploits have collapsed the gap between an ordinary logged-in user and a full system takeover. By chaining legitimate services such as udisks loop-mounts and PAM/environment quirks, attackers who own any active GUI or SSH session can vault across polkit’s allow_active trust zone and emerge as root in seconds. Nothing exotic is required: each link is pre-installed on mainstream Linux distros and their server builds.
Root access is the highest impact vulnerability. From there, an intruder can silently unload EDR agents and implant kernel-level backdoors for persistent code execution or rewrite system configurations that survive reboots. These compromised servers become launchpads for lateral movements. Exploits targeting default server packages can spread from a single compromised system to a fleet-wide issue. To reduce this risk, fleet-wide updates should be applied, and security measures like polkit rules and loop-mount policies should be strengthened. This broad strategy helps contain an initial breach and protect the entire network.
Mitigation Guideline for libblockdev/udisks Vulnerability
The default polkit policy for the “org.freedesktop.udisks2.modify-device” action may allow any active user to modify devices. This can be exploited to bypass security restrictions. To mitigate this, the policy should be changed to require administrator authentication for this action.
Configuration Change To mitigate this vulnerability, modify the polkit rule for "org.freedesktop.udisks2.modify-device". Change the allow_active setting from yes to auth_admin.
Always prioritize patches and follow specific instructions from your Linux distribution vendor’s advisory.
Technical Details
You can find the technical details of these vulnerabilities at:
https://www.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
Link to patches: https://www.openwall.com/lists/oss-security/2025/06/17/5
Qualys QID Coverage
Qualys will release the QIDs in the table below as they become available.
| QID | Title | Version | Supported On |
| TBD | TBD | Available by the end of the day | Scanner + Agent |
Conclusion
Chaining CVE-2025-6018 and CVE-2025-6019 lets any SUSE 15/Leap 15 SSH user leap from “normal” to root with the default PAM + udisks installed. One vulnerability grants allow_active, and the next turns that status into full root, all with built-in packages. Root access enables agent tampering, persistence, and lateral movement, so one unpatched server endangers the whole fleet. Patch both PAM and libblockdev/udisks everywhere to eliminate this path.
Enhance Your Security Posture with Qualys Vulnerability Management, Detection, and Response (VMDR)
Qualys VMDR offers comprehensive coverage and visibility into vulnerabilities, empowering organizations to rapidly respond to, prioritize, and address the associated risks.
Leverage the power of Qualys VMDR alongside TruRisk and the Qualys Query Language (QQL) to efficiently identify and prioritize vulnerable assets, effectively addressing these vulnerabilities.
