Two Bugs, One Exploit Chain

Security specialists at Qualys have revealed a pair of vulnerabilities that—when combined—let any logged-in user jump from a normal account to full administrator rights on many mainstream Linux distributions. The first flaw, CVE-2025-6018, sits inside the Pluggable Authentication Modules (PAM) setup used by openSUSE Leap 15 and SUSE Linux Enterprise 15. It lets an ordinary user switch into the special polkit role known as allow_active, a status that is normally reserved for someone physically sitting at the keyboard.

The second issue, CVE-2025-6019, lives in libblockdev and can be reached through the udisks service that ships on almost every modern Linux system. Once an attacker has landed in the allow_active zone with the first bug, this second weakness hands over root privileges, completing the jump from “just logged in” to “owns the box.”

How the Attack Works

Qualys researchers describe the exploit as a modern “local-to-root” technique that collapses the normal safety gap between a standard session—whether over SSH or through a desktop login—and full system control. In the first stage, the attacker abuses SUSE’s PAM configuration to trick polkit into thinking the user is physically present, even when the session is remote. With allow_active in hand, the attacker then calls on udisks to loop-mount a file system. Crafted commands sent through libblockdev abuse the second flaw to overwrite system settings and spawn a root shell in a matter of seconds.

Impact Across Popular Distributions

Although CVE-2025-6018 is specific to SUSE-based systems, the follow-on bug in udisks is present by default in most Linux releases, including Ubuntu, Debian and Fedora. Qualys built proof-of-concept exploits that worked on all of those platforms, showing that anyone who can find another route into allow_active—be it through physical access or a separate bug—can ride the chain all the way to root.

Once root access is granted, defenders lose nearly all leverage. An attacker could disable audit logs, add hidden users, plant persistence mechanisms or harvest additional credentials for lateral movement inside a corporate network. Because the udisks service runs with high privileges and listens for user requests, it provides an ideal trampoline for such post-compromise actions.

Patches and Temporary Defenses

Distribution vendors have already begun shipping updates. Users of openSUSE Leap 15 and SUSE Linux Enterprise 15 should install the revised PAM packages, while other distributions are rolling out new builds of libblockdev and udisks. Until patches can be applied, administrators can edit the polkit rule org.freedesktop.udisks2.modify-device and change its setting from “allow_active” to “auth_admin,” forcing a password prompt and blocking silent privilege escalation.

A Fresh Path-Traversal Bug in Linux PAM

The headline-grabbing chain is not the only PAM trouble this week. Maintainers have also fixed CVE-2025-6020, a path-traversal error in the pam_namespace module that lets a local attacker create symbolic-link races and step outside restricted directories. Systems that rely on pam_namespace for polyinstantiated folders—often used to isolate user temp directories—were vulnerable until version 1.7.1 closed the hole. Security teams that cannot upgrade immediately can disable pam_namespace or make sure the module never touches paths that users control.

Why These Flaws Matter

Privilege-escalation bugs rarely make headlines because they require a foothold on the target machine, but they remain invaluable to attackers who land that initial access through phishing or a weak password. In this case, the SUSE-specific PAM weakness and the widely available udisks issue form a lethal combination, turning a single low-level session into total domination of the host.

With desktop Linux use rising and server estates still heavily reliant on the platform, swift patching is essential. Administrators should roll out vendor fixes, review polkit settings for overly permissive rules and audit systems for unneeded services that run with elevated rights. On the defensive side, monitoring tools that flag unexpected udisks calls or sudden elevation to root can help spot exploitation attempts in real time and cut the attack chain before it reaches the finish line.