CVE-2024-58250: 
Linux Debian vulnerability analysis and mitigation

The passprompt plugin in pppd (Point-to-Point Protocol daemon) in ppp versions before 2.5.2 contains a privilege mishandling vulnerability. This security issue was disclosed in April 2025 and affects the PPP package, which implements the Point-to-Point Protocol on Linux and Solaris systems (PPP Homepage, NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.3 (CRITICAL) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The issue is classified under CWE-426 (Untrusted Search Path) and specifically relates to privilege mishandling in the passprompt plugin functionality (NVD).

The vulnerability could potentially lead to privilege escalation issues due to the mishandling of privileges in the passprompt plugin. Given the CRITICAL CVSS score and the complete compromise of confidentiality, integrity, and availability indicated by the vector string, the impact of successful exploitation could be severe (NVD).

The primary mitigation is to upgrade to ppp version 2.5.2 or later, which removes the vulnerable passprompt plugin entirely. For systems that cannot immediately upgrade, it is recommended to avoid using the promptprog configuration option. The passwordfd plugin can be used as a more secure alternative to the removed passprompt functionality (Ubuntu Security, PPP Commit).

Ubuntu has marked this vulnerability as 'Medium' priority and has noted that the feature is not enabled by default. They have decided not to backport fixes to stable releases, recommending instead that users avoid the feature if security is a concern (Ubuntu Security).