CVE-2025-5689: 
vulnerability analysis and mitigation

A vulnerability (CVE-2025-5689) was discovered in Ubuntu's authd authentication system on June 16, 2025. The flaw exists in the temporary user record that authd uses in the pre-auth NSS, affecting systems where authd was installed via PPA and configured with OAuth 2.0 applications in Microsoft Entra ID or Google IAM (GitHub Advisory).

The vulnerability occurs when specific conditions are met, including having UsePAM and KbdInteractiveAuthentication enabled in the SSH configuration. It has been assigned a CVSS v3.1 base score of 8.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, and no user interaction needed (NVD, Wiz).

When exploited, the vulnerability allows a user logging in for the first time to be considered part of the root group in the context of that SSH session. This leads to unauthorized access to root group privileges, enabling the user to read and write files that are accessible by the root group. However, the user does not gain full root privileges or additional capabilities beyond root group access (GitHub Advisory).

The vulnerability has been patched in version v0.5.4 of authd. As a temporary workaround, administrators can configure the SSH server to prevent authentication via authd by setting 'UsePAM no' or 'KbdInteractiveAuthentication no' in the sshd_config. The fix was implemented in commit 619ce8e (GitHub Advisory).