CVE-2025-46811
📋 TL;DR
CVE-2025-46811 is a critical Missing Authorization vulnerability in SUSE Linux Manager that allows any user who can connect to port 443 of SUSE Manager to execute arbitrary commands as root on any managed client. This affects multiple SUSE Manager Server products and container images, potentially compromising entire managed environments.
💻 Affected Systems
- SUSE Linux Manager
- SUSE Manager Server Module 4.3
- Container suse/manager/5.0/x86_64/server
- Image SLES15-SP4-Manager-Server-4-3-BYOS
- Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
- Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
- Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all managed systems, data exfiltration, ransomware deployment, and persistent backdoor installation across the entire infrastructure.
Likely Case
Attackers gain root access to managed clients, allowing them to steal credentials, install malware, and pivot to other systems in the network.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized connections to SUSE Manager.
🎯 Exploit Status
The vulnerability requires network access to port 443 but no authentication. Exploitation is straightforward once the vulnerability is understood.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Container: 5.0.27-150600.3.33.1 or later; Images and Module: 4.3.87-150400.3.110.2 or later
Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-46811
Restart Required: Yes
Instructions:
1. Update SUSE Manager using 'zypper update' or appropriate package manager. 2. Verify the updated version. 3. Restart SUSE Manager services. 4. Test functionality with a non-privileged client.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict access to SUSE Manager port 443 to only trusted management networks and systems.
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_NETWORK -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Firewall Configuration
linuxConfigure host-based firewall to only allow connections from authorized IP addresses.
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_IP" port protocol="tcp" port="443" accept'
firewall-cmd --reload
🧯 If You Can't Patch
- Immediately restrict network access to SUSE Manager port 443 using firewall rules to only allow connections from authorized management systems.
- Monitor network traffic to port 443 for suspicious activity and implement strict logging and alerting for any unauthorized connection attempts.
🔍 How to Verify
Check if Vulnerable:
Check current version: For containers: 'docker inspect CONTAINER_NAME | grep -i version'; For installed packages: 'rpm -qa | grep -i suse-manager'Check Version:
rpm -q suse-manager-serverVerify Fix Applied:
Verify version is patched: Container should be 5.0.27-150600.3.33.1 or later; Other products should be 4.3.87-150400.3.110.2 or later📡 Detection & Monitoring
Log Indicators:
- Unauthorized connection attempts to port 443
- Unexpected command execution on managed clients
- Authentication bypass logs in SUSE Manager
Network Indicators:
- Unusual traffic patterns to SUSE Manager port 443 from unexpected sources
- Command and control traffic from managed clients
SIEM Query:
source="suse_manager" AND (event_type="auth_failure" OR dest_port=443) AND src_ip NOT IN (trusted_ips)