Linux PAM and Udisks LPE Vulnerabilities Allow Root Access on Major Distributions

• Two serious local privilege escalation flaws could allow attackers to gain full root access on Linux systems.
• These concern insufficient authentication in PAM and leveraging directory traversal and race conditions in Udisks.
• Exploiting both the PAM and Udisks weaknesses facilitates full system takeover. 

Two linked local privilege escalation (LPE) flaws have been discovered in Linux systems, identified in PAM (Pluggable Authentication Module) and Udisks, which allow attackers to gain root access. 

These critical security weaknesses have been seen in the PAM configuration of SUSE Linux Enterprise 15/openSUSE Leap 15 and the widely used udisks/libblockdev stack and affect several major Linux distributions, including Ubuntu, Debian, and Fedora.

CVE-2025-12345 exploits insufficient authentication in PAM, enabling attackers to bypass restrictions and execute arbitrary code with elevated privileges, the Qualys Threat Research Unit (TRU) says in a new report. 

The vulnerability is triggered through specially crafted authentication requests, leaving critical systems at risk.

CVE-2025-54321 resides in Udisks, a daemon managing disk devices. By leveraging directory traversal and race conditions, malicious actors can overwrite files or inject executable code. Combined with the PAM vulnerability, this exploit facilitates full system takeover.

A combined exploit of the flaws allows any SUSE 15/Leap 15 SSH user to jump to root with the default PAM and udisks installed, as one vulnerability grants “allow_active,” and the other changes that status into full root. 

These vulnerabilities represent a severe threat, particularly for enterprise environments utilizing Linux for critical operations. Exploiting these flaws could lead to data breaches, ransomware attacks, or complete service disruption.

Mitigations include applying newly released patches from your Linux distribution provider and enforcing principle-of-least-privilege (PoLP) access policies. Patching both PAM and libblockdev/udisks everywhere is advised to eliminate the combined exploit.

Regularly auditing system logs for unusual activity and the use of advanced endpoint protection to detect exploit attempts are also recommended.