Login Sign Up

CVE-2025-11561

8.8 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows attackers with permission to modify Active Directory attributes (like userPrincipalName or samAccountName) to impersonate privileged users on domain-joined Linux systems. The flaw occurs in SSSD's Kerberos local authentication plugin fallback mechanism, potentially leading to unauthorized access or privilege escalation. Affected systems are Linux hosts integrated with Active Directory using SSSD.

💻 Affected Systems

Products:
  • System Security Services Daemon (SSSD)
Versions: Specific versions not provided in CVE, but Red Hat advisories indicate affected RHEL versions
Operating Systems: Linux distributions using SSSD with Active Directory integration
Default Config Vulnerable: ⚠️ Yes
Notes: Requires SSSD configured with Active Directory integration and the Kerberos local authentication plugin enabled (default).

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete domain compromise through privilege escalation to root on multiple Linux systems, enabling lateral movement across the network.

🟠

Likely Case

Unauthorized access to sensitive Linux systems, data exfiltration, and limited privilege escalation within the compromised environment.

🟢

If Mitigated

Minimal impact with proper AD attribute modification controls and timely patching, limiting attacker ability to exploit the fallback mechanism.

🌐 Internet-Facing: LOW - This vulnerability requires AD attribute modification access and domain-joined Linux systems, making direct internet exploitation unlikely.
🏢 Internal Only: HIGH - Internal attackers with AD modification privileges can exploit this to gain unauthorized access to Linux systems across the domain.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires AD attribute modification privileges and knowledge of target systems. No public exploit code identified in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check specific Red Hat advisories for version details

Vendor Advisory: https://access.redhat.com/errata/RHSA-2025:19610

Restart Required: Yes

Instructions:

1. Update SSSD package using your distribution's package manager. 2. Restart SSSD service. 3. Verify the fix by checking SSSD version and configuration.

🔧 Temporary Workarounds

Disable an2ln plugin fallback

linux

Configure SSSD to disable the fallback to an2ln plugin in krb5_localauth_plugin settings

Edit /etc/sssd/sssd.conf and set krb5_localauth_plugin = sssd_krb5_localauth_plugin (ensure no fallback)

Restrict AD attribute modifications

all

Implement strict access controls on userPrincipalName and samAccountName attributes in Active Directory

🧯 If You Can't Patch

  • Implement strict monitoring of AD attribute modifications and alert on suspicious changes
  • Segment Linux systems from AD management interfaces and limit AD modification privileges

🔍 How to Verify

Check if Vulnerable:

Check SSSD configuration for krb5_localauth_plugin settings and verify if an2ln fallback is possible

Check Version:

sssd --version

Verify Fix Applied:

Verify SSSD version is updated per vendor advisories and check configuration no longer allows an2ln fallback

📡 Detection & Monitoring

Log Indicators:

  • Unusual authentication attempts from modified AD accounts
  • SSSD error logs related to localauth plugin fallbacks

Network Indicators:

  • Unexpected Kerberos authentication requests from Linux systems

SIEM Query:

source="sssd" AND ("an2ln" OR "localauth_fallback")

📊 Metadata

CVE ID: CVE-2025-11561
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-269
EPSS Score: 0.2% exploit probability (42.2th percentile)
Published: October 9, 2025
Last Updated: January 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11561, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)