CVE-2025-4404

Freeipa: idm: privilege escalation from host to domain admin in freeipa

Description

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Remediation

Workaround:

  • No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

Category

9.1
CVSS
Severity: Critical
CVSS 3.1 •
EPSS 0.06%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Red Hat Enterprise Linux 10
Affected: Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle Support
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service
Affected: Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service
Affected: Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service
Affected: Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service
Affected: Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
Affected: Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support
Affected: Red Hat Red Hat Enterprise Linux 6
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHSA-2025:9184 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9185 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9186 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9187 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9188 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9189 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9190 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9191 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9192 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9193 vendor advisory
https://access.redhat.com/errata/RHSA-2025:9194 vendor advisory
https://access.redhat.com/security/cve/CVE-2025-4404 vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2364606 issue tracking

Frequently Asked Questions

What is the severity of CVE-2025-4404?
CVE-2025-4404 has been scored as a critical severity vulnerability.
How to fix CVE-2025-4404?
As a workaround for remediating CVE-2025-4404: No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.
Is CVE-2025-4404 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2025-4404 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2025-4404?
CVE-2025-4404 affects Red Hat Red Hat Enterprise Linux 10, Red Hat Red Hat Enterprise Linux 7 Extended Lifecycle Support, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support, Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service, Red Hat Red Hat Enterprise Linux 8.6 Telecommunications Update Service, Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service, Red Hat Red Hat Enterprise Linux 8.8 Telecommunications Update Service, Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions, Red Hat Red Hat Enterprise Linux 9.4 Extended Update Support, Red Hat Red Hat Enterprise Linux 6.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.