June has been a challenging month for cybersecurity teams, with a wave of high-impact vulnerabilities disrupting the threat landscape. After the disclosure of a newly patched XSS zero-day in Grafana (CVE-2025-4123), affecting over 46,500 active instances, two other critical flaws have surfaced that can be chained together, significantly increasing the potential for exploitation. Adversaries can weaponize two newly identified local privilege escalation (LPE) vulnerabilities, tracked as CVE-2025-6018 and CVE-2025-6019, to obtain root-level privileges on systems running major Linux distributions.
Vulnerability exploitation remains a critical security concern as the number of reported CVEs keeps climbing. By June 2025, 22,000+ vulnerabilities had been disclosed, reflecting a 16% increase over the same timeframe in 2024 and underscoring the growing pressure on defenders to keep pace.
Register for SOC Prime Platform to access the global active threats feed, providing actionable CTI and curated detection rules to proactively defend against emerging threats, including critical zero-days and known vulnerabilities. Security engineers can reach a comprehensive collection of verified Sigma rules tagged by “CVE,” powered by a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection.
All detection algorithms can be automatically converted into multiple SIEM, EDR, and Data Lake formats to facilitate cross-platform threat detection and are mapped MITRE ATT&CK® to streamline threat research. Each rule is also enriched CTI links, attack timelines, audit configurations, triage recommendations, and more in-depth metadata. Click the Explore Detections button to drill down to the relevant detection stack addressing current and existing vulnerabilities filtered by the “CVE” tag.
Security engineers can also leverage Uncoder AI, which acts an AI co-pilot, supporting detection engineers end-to-end while accelerating workflows and improving coverage. With Uncoder, security teans can instantly convert IOCs into custom hunting queries, craft detection code from live threat reports backed by AI, generate SOC content with custom AI prompts, employ syntax validation and detection logic refinement for better code quality, automatically visualize Attack Flows, and enrich Sigma rules with MITRE ATT&CK (sub-)techniques.
CVE-2025-6018 and CVE-2025-6019 Analysis
Qualys researchers have recently uncovered two novel LPE vulnerabilities that can be used in tandem to give attackers the green light to gain root access on systems using widely adopted Linux distributions.
The first flaw, CVE-2025-6018, stems from the PAM misconfiguration on openSUSE Leap 15 and SUSE Linux Enterprise 15, which lets local users escalate privileges to that of the “allow_active” user.
The second issue, CVE-2025-6019, affects libblockdev and allows an “allow_active” user to elevate privileges to root by weaponizing the udisks daemon, a default storage management service in most Linux environments.
These modern local-to-root exploits effectively eliminate the gap between a standard user session and full system control. By combining trusted system components, like udisks loop-mounts and PAM/environment misconfigurations, attackers with access to any active GUI or SSH session can quickly bypass the “allow_active” trust boundary and escalate to root privileges within seconds. Researchers emphasize that although these exploits technically require “allow_active” permissions, udisks is enabled by default on most Linux distributions, meaning that nearly all systems are at risk. Moreover, flaws like the disclosed PAM issue further weaken any barriers to gaining “allow_active” access.
Once root privileges are obtained, adversaries can fully control the system, modifying security configurations, deploying persistent backdoors, and using the machine as a launchpad for further attacks.
Root access poses a critical risk, allowing attackers to disable EDR tools, install persistent backdoors, and alter system settings that survive reboots. A single compromised server can quickly lead to fleet-wide compromise, especially when default packages are targeted.
Qualys has developed PoC exploits, validating these vulnerabilities across multiple distributions, including Ubuntu, Debian, Fedora, and openSUSE Leap 15.
As potential CVE-2025-6018 and CVE-2025-6019 mitigation steps to minimize exposure, users should immediately apply patches from their Linux vendors. As a temporary workaround, it’s recommended to adjust the Polkit rule for org.freedesktop.udisks2.modify-device to require administrator authentication (auth_admin).
Chaining CVE-2025-6018 and CVE-2025-6019 allows any SSH user on SUSE 15 or Leap 15 to elevate privileges from a standard user to root using only default PAM and udisks setups. This significantly increases the threat level for global organizations. Once root access is gained, attackers can disable security tools, maintain persistence, and pivot laterally, posing a risk to the entire environment, which requires immediate and proactive response from defenders to prevent potential breaches. SOC Prime curates a complete product suite backed by AI, automated capabilities, real-time threat intelligence, and built on zero-trust principles to help organizations outscale cyber threats no matter their sophistication.
The post CVE-2025-6018 and CVE-2025-6019 Vulnerability Exploitation: Chaining Local Privilege Escalation Flaws Lets Attackers Gain Root Access on Most Linux Distributions appeared first on SOC Prime.
