CVE-2025-4404

CRITICAL

FreeIPA - Privilege Escalation

Title source: llm

Description

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Exploits (1)

nomisec WORKING POC 5 stars

by Im10n · poc

https://github.com/Im10n/CVE-2025-4404-POC

View Code ZIP pw:eip

References (16)

[Various Sources] https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4

[Various Sources] https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e

[Mailing List] http://www.openwall.com/lists/oss-security/2025/09/30/6

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9184

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9185

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9186

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9187

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9188

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9189

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9190

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9191

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9192

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9193

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2025:9194

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2025-4404

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2364606

Scores

CVSS v3 9.1

EPSS 0.0029

EPSS Percentile 52.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Details

CWE

CWE-1220

Status published

Products (23)

Red Hat/Red Hat Enterprise Linux 10 0:4.12.2-15.el10_0.1

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7 Extended Lifecycle Support 0:4.6.8-5.el7_9.18

Red Hat/Red Hat Enterprise Linux 8 8100020250603134209.823393f5

Red Hat/Red Hat Enterprise Linux 8 8100020250603150652.143e9e98

Red Hat/Red Hat Enterprise Linux 8.2 Advanced Update Support 8020020250609030144.792f4060

Red Hat/Red Hat Enterprise Linux 8.2 Advanced Update Support 8020020250609031831.50ea30f9

Red Hat/Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support 8040020250609095221.5b01ab7e

Red Hat/Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support 8040020250609101903.f153676a

Red Hat/Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support 8060020250606060504.ada582f1

... and 13 more

Published Jun 17, 2025

Tracked Since Feb 18, 2026