Home

Description

A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

PUBLISHED Reserved 2025-07-11 | Published 2025-09-30 | Updated 2025-11-06 | Assigner redhat




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

Insufficient Granularity of Access Control

Product status

Default status
affected

0:4.12.2-15.el10_0.4 (rpm) before *
unaffected

Default status
affected

0:4.6.8-5.el7_9.23 (rpm) before *
unaffected

Default status
affected

8100020250919180242.143e9e98 (rpm) before *
unaffected

Default status
affected

8100020250918211722.823393f5 (rpm) before *
unaffected

Default status
affected

8020020250924110056.50ea30f9 (rpm) before *
unaffected

Default status
affected

8020020250924104944.792f4060 (rpm) before *
unaffected

Default status
affected

8040020250923180004.f153676a (rpm) before *
unaffected

Default status
affected

8040020250923175408.5b01ab7e (rpm) before *
unaffected

Default status
affected

8040020250923180004.f153676a (rpm) before *
unaffected

Default status
affected

8040020250923175408.5b01ab7e (rpm) before *
unaffected

Default status
affected

8060020250916172436.c1533a64 (rpm) before *
unaffected

Default status
affected

8060020250916174421.ada582f1 (rpm) before *
unaffected

Default status
affected

8060020250916172436.c1533a64 (rpm) before *
unaffected

Default status
affected

8060020250916174421.ada582f1 (rpm) before *
unaffected

Default status
affected

8060020250916172436.c1533a64 (rpm) before *
unaffected

Default status
affected

8060020250916174421.ada582f1 (rpm) before *
unaffected

Default status
affected

8080020250918184739.e581a9e4 (rpm) before *
unaffected

Default status
affected

8080020250918152850.b0a6ceea (rpm) before *
unaffected

Default status
affected

8080020250918184739.e581a9e4 (rpm) before *
unaffected

Default status
affected

8080020250918152850.b0a6ceea (rpm) before *
unaffected

Default status
affected

0:4.12.2-14.el9_6.5 (rpm) before *
unaffected

Default status
affected

0:4.9.8-11.el9_0.5 (rpm) before *
unaffected

Default status
affected

0:4.10.1-12.el9_2.6 (rpm) before *
unaffected

Default status
affected

0:4.11.0-15.el9_4.7 (rpm) before *
unaffected

Default status
unknown

Timeline

2025-08-19:Reported to Red Hat.
2025-09-30:Made public.

Credits

Red Hat would like to thank Tom Smith for reporting this issue.

References

www.openwall.com/lists/oss-security/2025/09/30/6

access.redhat.com/errata/RHSA-2025:17084 (RHSA-2025:17084) vendor-advisory

access.redhat.com/errata/RHSA-2025:17085 (RHSA-2025:17085) vendor-advisory

access.redhat.com/errata/RHSA-2025:17086 (RHSA-2025:17086) vendor-advisory

access.redhat.com/errata/RHSA-2025:17087 (RHSA-2025:17087) vendor-advisory

access.redhat.com/errata/RHSA-2025:17088 (RHSA-2025:17088) vendor-advisory

access.redhat.com/errata/RHSA-2025:17129 (RHSA-2025:17129) vendor-advisory

access.redhat.com/errata/RHSA-2025:17645 (RHSA-2025:17645) vendor-advisory

access.redhat.com/errata/RHSA-2025:17646 (RHSA-2025:17646) vendor-advisory

access.redhat.com/errata/RHSA-2025:17647 (RHSA-2025:17647) vendor-advisory

access.redhat.com/errata/RHSA-2025:17648 (RHSA-2025:17648) vendor-advisory

access.redhat.com/errata/RHSA-2025:17649 (RHSA-2025:17649) vendor-advisory

access.redhat.com/security/cve/CVE-2025-7493 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2389448 (RHBZ#2389448) issue-tracking

cve.org (CVE-2025-7493)

nvd.nist.gov (CVE-2025-7493)

Download JSON