fkie_cve-2025-4404
Vulnerability from fkie_nvd
Published
2025-06-17 14:15
Modified
2025-07-29 18:15
Severity ?
9.1 (Critical) - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Summary
A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9184
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9185
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9186
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9187
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9188
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9189
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9190
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9191
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9192
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9193
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2025:9194
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2025-4404
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2364606
secalert@redhat.comhttps://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4
secalert@redhat.comhttps://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration."
    },
    {
      "lang": "es",
      "value": "Se detect\u00f3 una vulnerabilidad de escalada de privilegios del host al dominio en el proyecto FreeIPA. El paquete FreeIPA no valida la unicidad de `krbCanonicalName` para la cuenta de administrador por defecto, lo que permite a los usuarios crear servicios con el mismo nombre can\u00f3nico que el administrador de REALM. Cuando se produce un ataque exitoso, el usuario puede recuperar un ticket de Kerberos en nombre de este servicio, que contiene la credencial admin@REALM. Esta falla permite a un atacante realizar tareas administrativas a trav\u00e9s de REALM, lo que permite el acceso a datos confidenciales y su exfiltraci\u00f3n."
    }
  ],
  "id": "CVE-2025-4404",
  "lastModified": "2025-07-29T18:15:29.983",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.1,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.3,
        "impactScore": 6.0,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-17T14:15:32.743",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9184"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9185"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9186"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9187"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9188"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9189"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9190"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9191"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9192"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9193"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2025:9194"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2025-4404"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2364606"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1220"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.