9.1 CVE-2025-7493

Enriched by CISA

A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
https://nvd.nist.gov/vuln/detail/CVE-2025-7493

References

af854a3a-2127-422b-91ae-364da2661108

http://www.openwall.com/lists/oss-security/2025/09/30/6

secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:17084
https://access.redhat.com/errata/RHSA-2025:17085
https://access.redhat.com/errata/RHSA-2025:17086
https://access.redhat.com/errata/RHSA-2025:17087
https://access.redhat.com/errata/RHSA-2025:17088
https://access.redhat.com/errata/RHSA-2025:17129
https://access.redhat.com/errata/RHSA-2025:17645
https://access.redhat.com/errata/RHSA-2025:17646
https://access.redhat.com/errata/RHSA-2025:17647
https://access.redhat.com/errata/RHSA-2025:17648
https://access.redhat.com/errata/RHSA-2025:17649
https://access.redhat.com/security/cve/CVE-2025-7493
https://bugzilla.redhat.com/show_bug.cgi?id=2389448

AFFECTED (from MITRE)

Vendor	Product	Versions
Red Hat	Red Hat Enterprise Linux 10	0:4.12.2-15.el10_0.4 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 7 Extended Lifecycle Support	0:4.6.8-5.el7_9.23 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8	8100020250919180242.143e9e98 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8	8100020250918211722.823393f5 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.2 Advanced Update Support	8020020250924110056.50ea30f9 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.2 Advanced Update Support	8020020250924104944.792f4060 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	8040020250923180004.f153676a < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support	8040020250923175408.5b01ab7e < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On	8040020250923180004.f153676a < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On	8040020250923175408.5b01ab7e < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	8060020250916172436.c1533a64 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support	8060020250916174421.ada582f1 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Telecommunications Update Service	8060020250916172436.c1533a64 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Telecommunications Update Service	8060020250916174421.ada582f1 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	8060020250916172436.c1533a64 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions	8060020250916174421.ada582f1 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.8 Telecommunications Update Service	8080020250918184739.e581a9e4 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.8 Telecommunications Update Service	8080020250918152850.b0a6ceea < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	8080020250918184739.e581a9e4 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions	8080020250918152850.b0a6ceea < * [unaffected]
Red Hat	Red Hat Enterprise Linux 9	0:4.12.2-14.el9_6.5 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions	0:4.9.8-11.el9_0.5 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions	0:4.10.1-12.el9_2.6 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 9.4 Extended Update Support	0:4.11.0-15.el9_4.7 < * [unaffected]
Red Hat	Red Hat Enterprise Linux 6
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
1	Accessing Functionality Not Properly Constrained by ACLs In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to. [Survey] The attacker surveys the target application, possibly as a valid and authenticated user [Identify Functionality] At each step, the attacker notes the resource or functionality access mechanism invoked upon performing specific actions [Iterate over access capabilities] Possibly as a valid user, the attacker then tries to access each of the noted access mechanisms directly in order to perform functions not constrained by the ACLs.	High
180	Exploiting Incorrectly Configured Access Control Security Levels An attacker exploits a weakness in the configuration of access controls and is able to bypass the intended protection that these measures guard against and thereby obtain unauthorized access to the system or network. Sensitive functionality should always be protected with access controls. However configuring all but the most trivial access control systems can be very complicated and there are many opportunities for mistakes. If an attacker can learn of incorrectly configured access security settings, they may be able to exploit this in an attack. [Survey] The attacker surveys the target application, possibly as a valid and authenticated user. [Identify weak points in access control configurations] The attacker probes the access control for functions and data identified in the Explore phase to identify potential weaknesses in how the access controls are configured. [Access the function or data bypassing the access control] The attacker executes the function or accesses the data identified in the Explore phase bypassing the access control.	Medium

MITRE

Techniques

id	description
T1574.010	Hijack Execution Flow: ServicesFile Permissions Weakness
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1018	Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Deny execution from user directories such as file download directories and temp directories where able.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee