CVE-2025-5689: 
vulnerability analysis and mitigation

A flaw was found in the temporary user record that authd uses in the pre-auth NSS. The vulnerability, identified as CVE-2025-5689, was discovered and disclosed on June 16, 2025. This vulnerability affects Ubuntu's authd authentication system, specifically impacting systems where authd was installed via PPA and configured with OAuth 2.0 applications in Microsoft Entra ID or Google IAM (GitHub Advisory).

The vulnerability allows a user logging in for the first time to be considered part of the root group in the context of that SSH session. The issue occurs when specific conditions are met, including having UsePAM and KbdInteractiveAuthentication enabled in the SSH configuration. The vulnerability has been assigned a CVSS v3.1 base score of 6.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, and no user interaction needed (NVD).

The vulnerability leads to a local privilege escalation if the user should not have root privileges. This affects users who haven't previously logged into the system and are logging in via SSH. The impact is limited to the context of the SSH session but could potentially allow unauthorized access to root group privileges (GitHub Advisory).

The vulnerability has been patched in version v0.5.4 of authd. As a workaround, administrators can configure the SSH server to not allow authentication via authd by setting UsePAM no or KbdInteractiveAuthentication no in the sshd_config. The fix was implemented in commit 619ce8e (GitHub Advisory).