CVE-2025-4404

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

References

Link	Resource
https://access.redhat.com/errata/RHSA-2025:9184
https://access.redhat.com/errata/RHSA-2025:9185
https://access.redhat.com/errata/RHSA-2025:9186
https://access.redhat.com/errata/RHSA-2025:9187
https://access.redhat.com/errata/RHSA-2025:9188
https://access.redhat.com/errata/RHSA-2025:9189
https://access.redhat.com/errata/RHSA-2025:9190
https://access.redhat.com/errata/RHSA-2025:9191
https://access.redhat.com/errata/RHSA-2025:9192
https://access.redhat.com/errata/RHSA-2025:9193
https://access.redhat.com/errata/RHSA-2025:9194
https://access.redhat.com/security/cve/CVE-2025-4404
https://bugzilla.redhat.com/show_bug.cgi?id=2364606
https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4
https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e
http://www.openwall.com/lists/oss-security/2025/09/30/6

Configurations

No configuration.

History

04 Nov 2025, 22:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2025/09/30/6 -

29 Jul 2025, 18:15

Type	Values Removed	Values Added
Summary		(es) Se detectó una vulnerabilidad de escalada de privilegios del host al dominio en el proyecto FreeIPA. El paquete FreeIPA no valida la unicidad de `krbCanonicalName` para la cuenta de administrador por defecto, lo que permite a los usuarios crear servicios con el mismo nombre canónico que el administrador de REALM. Cuando se produce un ataque exitoso, el usuario puede recuperar un ticket de Kerberos en nombre de este servicio, que contiene la credencial admin@REALM. Esta falla permite a un atacante realizar tareas administrativas a través de REALM, lo que permite el acceso a datos confidenciales y su exfiltración.
References		() https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4 - () https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e -

17 Jun 2025, 15:15

Type	Values Removed	Values Added
References		() https://access.redhat.com/errata/RHSA-2025:9184 - () https://access.redhat.com/errata/RHSA-2025:9186 - () https://access.redhat.com/errata/RHSA-2025:9187 - () https://access.redhat.com/errata/RHSA-2025:9188 - () https://access.redhat.com/errata/RHSA-2025:9189 - () https://access.redhat.com/errata/RHSA-2025:9190 - () https://access.redhat.com/errata/RHSA-2025:9191 - () https://access.redhat.com/errata/RHSA-2025:9192 - () https://access.redhat.com/errata/RHSA-2025:9193 - () https://access.redhat.com/errata/RHSA-2025:9194 -

17 Jun 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-17 14:15

Updated : 2025-11-04 22:16

NVD link : CVE-2025-4404

Mitre link : CVE-2025-4404

CVE.ORG link : CVE-2025-4404

JSON object : View

Products Affected

No product.

CWE

CWE-1220

Insufficient Granularity of Access Control

9.1 /10