If Your Screen Is On, You're Already Vulnerable: Linux Falls Apart From Within — Without Malware or Hacks
Everything followed the rules — until an ordinary user became root in three seconds, without any exploit.
Amid ongoing discussions around Linux security, two critical vulnerabilities have been discovered that allow a regular user to take full control of the system. Both issues involve privilege escalation and were identified by researchers at Qualys. The vulnerabilities — CVE-2025-6018 and CVE-2025-6019 — together enable a standard user to become a superuser with root access to the system.
CVE-2025-6018 is found in the PAM authentication mechanism of SUSE Linux Enterprise 15 and openSUSE Leap 15. It allows an unauthorized user to escalate privileges to an “allow_active” state — a status that permits actions via Polkit, normally allowed only for physically present users. This loophole acts as the first step toward gaining complete system control.
CVE-2025-6019 affects the libblockdev component and is exploited via the udisks daemon, which is preinstalled in nearly all major Linux distributions. It allows a user with “allow_active” status to escalate privileges to root. Combined with the first vulnerability, the attack becomes extremely effective — rapidly bypassing two layers of protection to gain full system access.
According to Qualys, an attacker only needs an active session — either in a graphical interface or via SSH — to exploit the flaws and obtain root access within seconds. This type of attack undermines traditional concepts of user/admin privilege separation, essentially erasing the boundaries. Once root access is obtained, the attacker can modify security settings, install stealth access tools, and use the compromised system as a pivot point for further lateral movement across the network.
Qualys validated the vulnerabilities with proof-of-concept exploits on multiple systems, including Fedora, Debian, Ubuntu, and openSUSE. Experts warn that nearly all modern Linux distributions are affected, as udisks and Polkit are core infrastructure components. Users are strongly urged to apply security patches issued by their distro maintainers as soon as possible.
As a temporary mitigation, it's recommended to modify the Polkit rule for the action org.freedesktop.udisks2.modify-device, requiring admin authentication (auth_admin) to prevent automatic access.
It's worth noting that another flaw — CVE-2023-0386 — was recently added to the Known Exploited Vulnerabilities (KEV) catalog. Despite a patch being available since early 2023, this Linux kernel bug has been actively exploited in the wild. It affects Linux namespaces, which are designed to isolate user privileges and processes. Due to an implementation flaw in overlay file systems, an executable can be loaded across layers and run with elevated (root) privileges. This is particularly dangerous in multi-user or containerized environments.
