CVE Alert: CVE-2025-11561 – Red Hat – Red Hat Enterprise Linux 10
CVE-2025-11561
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, SSSD does not enable the Kerberos local authentication plugin (sssd_krb5_localauth_plugin), allowing an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users. This can result in unauthorized access or privilege escalation on domain-joined Linux hosts.
AI Summary Analysis
Risk verdict
High risk to domain-joined Linux environments due to a privilege-escalation flaw in SSSD with network exposure; monitor KEV/SSVC signals for active exploitation and patch promptly.
Why this matters
Disruption could enable attackers to impersonate privileged AD principals and gain broad access across Linux hosts and containers integrated with AD. The impact includes potential lateral movement, credential theft, and access to sensitive workloads in identity-aware deployments.
Most likely attack path
Attacker can reach the flaw over the network without user interaction and with minimal local privileges. By influencing certain AD attributes, they could impersonate privileged principals on domain-joined hosts, enabling escalation and potential spread to related systems.
Who is most exposed
Organisations relying on AD-integrated Linux servers and container platforms (e.g., enterprise Linux fleets and OpenShift-like workloads) are most at risk, where SSSD is used for Kerberos-based local authentication.
Detection ideas
- Unexpected changes to AD attributes mapped to local Principals (e.g., userPrincipalName, samAccountName).
- Anomalous Kerberos ticket issuance or credential impersonation events on Linux hosts.
- SSSD logs showing authentication mapping or local auth plugin activity anomalies.
- Unusual successful privilege escalations or unusual access to privileged accounts from Linux hosts.
Mitigation and prioritisation
- Apply vendor-supplied updates and follow Red Hat guidance for SSSD hardening; enable sssd_krb5_localauth_plugin in sssd.conf with appropriate settings.
- Explicitly enable Kerberos local authentication on domain-joined systems and verify correct local-user mapping.
- Implement compensating controls: tighten AD attribute write access, monitor AD attribute changes, and enforce least privilege for AD admins.
- Change-management: schedule patching during a maintenance window; test in a staging environment before broad rollout.
- If KEV true or EPSS ≥ 0.5, treat as priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
