CVE-2025-4404

CRITICAL

Red Hat Enterprise Linux - Privilege Escalation via FreeIPA krbCanonicalName Uniqueness Bypass

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-4404. PoCs published by Im10n.

AI-analyzed exploit summary This PoC demonstrates a Kerberos ticket manipulation vulnerability in FreeIPA 4.12.4, allowing an attacker with a domain computer account to impersonate the admin account by setting the krbCanonicalName attribute to [email protected].

Description

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Exploits (1)

nomisec WORKING POC 5 stars

by Im10n · poc

https://github.com/Im10n/CVE-2025-4404-POC

View Code ZIP pw:eip

This PoC demonstrates a Kerberos ticket manipulation vulnerability in FreeIPA 4.12.4, allowing an attacker with a domain computer account to impersonate the admin account by setting the krbCanonicalName attribute to [email protected].

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: FreeIPA 4.12.4

Auth required

Prerequisites: Domain computer account · Access to LDAP and Kerberos services · FreeIPA 4.12.4 environment

MITRE ATT&CK

T1558 - Steal or Forge Kerberos Tickets

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (16)

Core 16

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9184

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9185

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9186

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9187

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9188

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9189

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9190

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9191

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9192

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9193

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2025:9194

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2025-4404

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2364606

Various Sources

https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4

Various Sources

https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e

Mailing List

http://www.openwall.com/lists/oss-security/2025/09/30/6

Scores

CVSS v3 9.1

EPSS 0.0183

EPSS Percentile 76.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1220

Status published

Products (23)

Red Hat/Red Hat Enterprise Linux 10 0:4.12.2-15.el10_0.1

Red Hat/Red Hat Enterprise Linux 6

Red Hat/Red Hat Enterprise Linux 7 Extended Lifecycle Support 0:4.6.8-5.el7_9.18

Red Hat/Red Hat Enterprise Linux 8 8100020250603134209.823393f5

Red Hat/Red Hat Enterprise Linux 8 8100020250603150652.143e9e98

Red Hat/Red Hat Enterprise Linux 8.2 Advanced Update Support 8020020250609030144.792f4060

Red Hat/Red Hat Enterprise Linux 8.2 Advanced Update Support 8020020250609031831.50ea30f9

Red Hat/Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support 8040020250609095221.5b01ab7e

Red Hat/Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support 8040020250609101903.f153676a

Red Hat/Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support 8060020250606060504.ada582f1

... and 13 more

Published Jun 17, 2025

Tracked Since Feb 18, 2026