๐Ÿ” CVE Alert

CVE-2025-4404

CRITICAL 9.1

Freeipa: idm: privilege escalation from host to domain admin in freeipa

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

CWE CWE-1220
Published Jun 17, 2025
Last Updated Mar 5, 2026
Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new critical vulnerabilities are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

Red Hat / Red Hat Enterprise Linux 10
All versions affected
Red Hat / Red Hat Enterprise Linux 7 Extended Lifecycle Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8
All versions affected
Red Hat / Red Hat Enterprise Linux 8
All versions affected
Red Hat / Red Hat Enterprise Linux 8.2 Advanced Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.2 Advanced Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Telecommunications Update Service
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9
All versions affected
Red Hat / Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
All versions affected
Red Hat / Red Hat Enterprise Linux 9.4 Extended Update Support
All versions affected
Red Hat / Red Hat Enterprise Linux 6
All versions affected

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9184 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9185 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9186 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9187 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9188 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9189 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9190 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9191 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9192 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9193 access.redhat.com: https://access.redhat.com/errata/RHSA-2025:9194 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-4404 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2364606 pagure.io: https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4 pagure.io: https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e openwall.com: http://www.openwall.com/lists/oss-security/2025/09/30/6

Credits

Red Hat would like to thank Mikhail Sukhov (Positive Technologies) for reporting this issue.