CVE-2025-11561 - OpenCVE

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat	Enterprise Linux Openshift Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Eus Long Life Rhel Tus

No data.

References

Link	Providers
https://access.redhat.com/errata/RHSA-2025:19610
https://access.redhat.com/errata/RHSA-2025:19847
https://access.redhat.com/errata/RHSA-2025:19848
https://access.redhat.com/errata/RHSA-2025:19849
https://access.redhat.com/errata/RHSA-2025:19850
https://access.redhat.com/errata/RHSA-2025:19851
https://access.redhat.com/errata/RHSA-2025:19852
https://access.redhat.com/errata/RHSA-2025:19853
https://access.redhat.com/errata/RHSA-2025:19854
https://access.redhat.com/errata/RHSA-2025:19859
https://access.redhat.com/security/cve/CVE-2025-11561
https://blog.async.sg/kerberos-ldr
https://bugzilla.redhat.com/show_bug.cgi?id=2402727
https://nvd.nist.gov/vuln/detail/CVE-2025-11561
https://www.cve.org/CVERecord?id=CVE-2025-11561

History

Thu, 06 Nov 2025 13:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:10~~	cpe:/o:redhat:enterprise_linux:10.0
References		https://access.redhat.com/errata/RHSA-2025:19851

Thu, 06 Nov 2025 07:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:9.4::appstream cpe:/a:redhat:rhel_eus:9.4::crb cpe:/o:redhat:rhel_eus:9.4::baseos
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:19852

Thu, 06 Nov 2025 05:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:rhel_aus:8.2::baseos
References		https://access.redhat.com/errata/RHSA-2025:19859

Thu, 06 Nov 2025 05:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/o:redhat:rhel_aus:8.6::baseos cpe:/o:redhat:rhel_e4s:8.6::baseos cpe:/o:redhat:rhel_tus:8.6::baseos
References		https://access.redhat.com/errata/RHSA-2025:19849

Thu, 06 Nov 2025 04:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_e4s:9.2::appstream cpe:/o:redhat:rhel_e4s:9.2::baseos
References		https://access.redhat.com/errata/RHSA-2025:19854

Thu, 06 Nov 2025 03:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Tus
CPEs		cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_tus:8.8::appstream cpe:/o:redhat:rhel_e4s:8.8::baseos cpe:/o:redhat:rhel_tus:8.8::baseos
Vendors & Products		Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:19853

Thu, 06 Nov 2025 03:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Long Life
CPEs	~~cpe:/o:redhat:enterprise_linux:7~~	cpe:/o:redhat:rhel_aus:8.4::baseos cpe:/o:redhat:rhel_e4s:9.0::baseos cpe:/o:redhat:rhel_els:7 cpe:/o:redhat:rhel_eus_long_life:8.4::baseos
Vendors & Products		Redhat rhel Aus Redhat rhel E4s Redhat rhel Els Redhat rhel Eus Long Life
References		https://access.redhat.com/errata/RHSA-2025:19847 https://access.redhat.com/errata/RHSA-2025:19848 https://access.redhat.com/errata/RHSA-2025:19850

Tue, 04 Nov 2025 11:00:00 +0000

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:enterprise_linux:8::crb cpe:/o:redhat:enterprise_linux:8::baseos
References		https://access.redhat.com/errata/RHSA-2025:19610

Fri, 10 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Description	A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, SSSD does not enable the Kerberos local authentication plugin (sssd_krb5_localauth_plugin), allowing an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users. This can result in unauthorized access or privilege escalation on domain-joined Linux hosts.	A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

Fri, 10 Oct 2025 00:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2025-11561 https://www.cve.org/CVERecord?id=CVE-2025-11561
Metrics	threat_severity `None`	threat_severity `Important`

Thu, 09 Oct 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 09 Oct 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, SSSD does not enable the Kerberos local authentication plugin (sssd_krb5_localauth_plugin), allowing an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users. This can result in unauthorized access or privilege escalation on domain-joined Linux hosts.
Title		Sssd: sssd default kerberos configuration allows privilege escalation on ad-joined linux systems
First Time appeared		Redhat Redhat enterprise Linux Redhat openshift
Weaknesses		CWE-269
CPEs		cpe:/a:redhat:openshift:4 cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux Redhat openshift
References		https://access.redhat.com/security/cve/CVE-2025-11561 https://blog.async.sg/kerberos-ldr https://bugzilla.redhat.com/show_bug.cgi?id=2402727
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-10-09T13:37:53.089Z

Updated: 2025-11-07T19:42:07.614Z

Reserved: 2025-10-09T13:03:30.189Z

Link: CVE-2025-11561

Vulnrichment

Updated: 2025-10-09T13:51:06.747Z

NVD

Status : Awaiting Analysis

Published: 2025-10-09T14:15:54.447

Modified: 2025-11-06T13:15:36.597

Link: CVE-2025-11561

Redhat

Severity : Important

Publid Date: 2025-10-09T00:00:00Z

Links: CVE-2025-11561 - Bugzilla

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object