June 18, 2025 By Zeljka Zorz
CVE-2025-6018 affects the Pluggable Authentication Modules (PAM) configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15, and allows an
unprivileged local attacker – for example, an attacker who logs in via a remote SSH session – to gain the “allow_active” privileges of a physically present user.
(The PAM framework controls how users authenticate and start sessions on Linux, and the vulnerability is effectively a misconfiguration that treats *any* local login as if the user were actually at the console.)
Having “allow_active” privileges allows the attacker to perform actions necessary to exploit CVE-2025-6019, a vulnerability in libblockdev, to elevate privileges to root.
Once root access is achieved, the attacker can do much damage: switch off EDR agents, implant backdoors, change configurations, and so on. The compromised system can thus become a launchpad for wider organizational compromise.
