Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2025-6018
CVE-2025-6018:
Linux openSUSE vulnerability analysis and mitigation
Overview
CVE-2025-6018 is a Local Privilege Escalation (LPE) vulnerability discovered in the PAM configuration of openSUSE Leap 15 and SUSE Linux Enterprise 15. The vulnerability allows an unprivileged local attacker, such as someone who logs in via SSH, to gain the privileges of a physical 'allow_active' user. The vulnerability was discovered and reported by Qualys researchers in June 2025 (Help Net Security, Openwall).
Technical details
The vulnerability exists due to a misconfiguration in PAM where the pamenv module reads the user's ~/.pamenvironment file by default before the pamsystemd module is called. This allows attackers to set environment variables like XDGSEAT=seat0 and XDG_VTNR=1, effectively tricking the system into treating any local login as if the user were physically present at the console. The vulnerability has been confirmed to affect PAM version 1.3.0 and related configurations (Openwall).
Impact
When exploited, this vulnerability allows attackers to perform all the 'allow_active yes' polkit actions that are normally reserved for physical users. When chained with CVE-2025-6019, it enables a complete privilege escalation path from an unprivileged user to root access. This could lead to the ability to switch off EDR agents, implant backdoors, change configurations, and potentially launch wider organizational compromises (Help Net Security).
Mitigation and workarounds
Major Linux distributions have started patching the vulnerability. Ubuntu has confirmed that default installations are not vulnerable due to their specific configuration of pamsystemd.so and pamenv.so modules. For systems that might be affected, it is recommended to ensure there are no pamenv.so userreadenv=1 invocations before pam_systemd.so in any of the PAM stacks defined under /etc/pam.d/. Organizations are advised to deploy patches without delay (Ubuntu Blog).
Community reactions
The security community has shown significant concern about this vulnerability, particularly due to its potential for chaining with CVE-2025-6019 to achieve root access. Saeed Abbasi, Senior Manager of Product Management for Security Research at Qualys, emphasized that these modern 'local-to-root' exploits have collapsed the gap between an ordinary logged-in user and full system takeover (Help Net Security).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management