9.1 CVE-2025-4404

Enriched by CISA

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
https://nvd.nist.gov/vuln/detail/CVE-2025-4404

References

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/09/30/6

secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:9184
https://access.redhat.com/errata/RHSA-2025:9185
https://access.redhat.com/errata/RHSA-2025:9186
https://access.redhat.com/errata/RHSA-2025:9187
https://access.redhat.com/errata/RHSA-2025:9188
https://access.redhat.com/errata/RHSA-2025:9189
https://access.redhat.com/errata/RHSA-2025:9190
https://access.redhat.com/errata/RHSA-2025:9191
https://access.redhat.com/errata/RHSA-2025:9192
https://access.redhat.com/errata/RHSA-2025:9193
https://access.redhat.com/errata/RHSA-2025:9194
https://access.redhat.com/security/cve/CVE-2025-4404
https://bugzilla.redhat.com/show_bug.cgi?id=2364606
https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4
https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e

AFFECTED (from MITRE)

Vendor	Product	Versions
N/A	N/A	< 4.12.4 [affected]
Red Hat	Red Hat Enterprise Linux 10	0:4.12.2-15.el10_0.1 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 7 Extended Lifecycle Support	0:4.6.8-5.el7_9.18 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8	8100020250603150652.143e9e98 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8	8100020250603134209.823393f5 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.2 Advanced Update Support	8020020250609031831.50ea30f9 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.2 Advanced Update Support	8020020250609030144.792f4060 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	8040020250609101903.f153676a < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	8040020250609095221.5b01ab7e < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	8060020250606060927.c1533a64 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	8060020250606060504.ada582f1 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Telecommunications Update Service	8060020250606060927.c1533a64 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Telecommunications Update Service	8060020250606060504.ada582f1 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	8060020250606060927.c1533a64 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	8060020250606060504.ada582f1 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.8 Telecommunications Update Service	8080020250604195510.e581a9e4 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.8 Telecommunications Update Service	8080020250604202433.b0a6ceea < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	8080020250604195510.e581a9e4 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	8080020250604202433.b0a6ceea < * [unaffected]
Red Hat	Red Hat Enterprise Linux 9	0:4.12.2-14.el9_6.1 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	0:4.9.8-11.el9_0.4 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions	0:4.10.1-12.el9_2.4 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 9.4 Extended Update Support	0:4.11.0-15.el9_4.5 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 6
Red Hat	Red Hat In-Vehicle Operating System 1
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
1	Accessing Functionality Not Properly Constrained by ACLs In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to. [Survey] The attacker surveys the target application, possibly as a valid and authenticated user [Identify Functionality] At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions [Iterate over access capabilities] Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.	High
180	Exploiting Incorrectly Configured Access Control Security Levels An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. [Survey] The attacker surveys the target application, possibly as a valid and authenticated user. [Identify weak points in access control configurations] The attacker probes the access control for functions and data identified in the Explore phase to identify potential weaknesses in how the access controls are configured. [Access the function or data bypassing the access control] The attacker executes the function or accesses the data identified in the Explore phase bypassing the access control.	Medium

MITRE

Techniques

id	description
T1574.010	Hijack Execution Flow: ServicesFile Permissions Weakness
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1018	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee