CVE-2025-4404: 
Alma Linux vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2025-4404) was discovered in the FreeIPA project, identified on June 17, 2025. The vulnerability exists in the FreeIPA package which fails to validate the uniqueness of the krbCanonicalName for the admin account by default. This affects Red Hat Enterprise Linux and its various distributions (NVD, Red Hat CVE).

The vulnerability stems from insufficient validation of the krbCanonicalName attribute in FreeIPA's LDAP implementation. This allows users to create services with the same canonical name as the REALM admin. When successfully exploited, an attacker can retrieve a Kerberos ticket in the name of this service containing the admin@REALM credential. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with the vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H (NVD).

The successful exploitation of this vulnerability allows an attacker to perform administrative tasks over the REALM, potentially leading to unauthorized access to sensitive data and data exfiltration. The high severity rating indicates the significant potential impact on affected systems (NVD).

Red Hat has released security updates to address this vulnerability across multiple product versions including RHEL 7, 8, 9, and 10. Users are advised to update their systems with the latest security patches available through the respective security advisories (Red Hat Bugzilla).