Permalink
CVE-2025-11561
8.8 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): HIGH
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse dismissed
Sssd: sssd default kerberos configuration allows privilege escalation on ad-joined linux systems
A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, SSSD does not enable the Kerberos local authentication plugin (sssd_krb5_localauth_plugin), allowing an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users. This can result in unauthorized access or privilege escalation on domain-joined Linux hosts.
References
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21329 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21329 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21795 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21329 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21795 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22529 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21329 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21795 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22256 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22265 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22277 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22529 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22548 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21329 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21795 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22256 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22265 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22277 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22529 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22548 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22724 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21329 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21795 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22256 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22265 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22277 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22529 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22548 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22724 vendor-advisory x_refsource_REDHAT
- RHSA-2025:23113 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21329 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21795 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22256 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22265 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22277 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22529 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22548 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22724 vendor-advisory x_refsource_REDHAT
- RHSA-2025:23113 vendor-advisory x_refsource_REDHAT
- RHSA-2026:0316 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
- RHSA-2025:19610 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19847 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19848 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19849 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19850 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19851 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19852 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19853 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19854 vendor-advisory x_refsource_REDHAT
- RHSA-2025:19859 vendor-advisory x_refsource_REDHAT
- RHSA-2025:20954 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21020 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21067 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21329 vendor-advisory x_refsource_REDHAT
- RHSA-2025:21795 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22256 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22265 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22277 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22529 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22548 vendor-advisory x_refsource_REDHAT
- RHSA-2025:22724 vendor-advisory x_refsource_REDHAT
- RHSA-2025:23113 vendor-advisory x_refsource_REDHAT
- RHSA-2026:0316 vendor-advisory x_refsource_REDHAT
- RHSA-2026:0677 vendor-advisory x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2025-11561 x_refsource_REDHAT vdb-entry
- https://blog.async.sg/kerberos-ldr
- RHBZ#2402727 issue-tracking x_refsource_REDHAT
Affected products
sssd
- =<2.11.1
- *
rhcos
- *
rhceph/rhceph-7-rhel9
- *
rhceph/rhceph-8-rhel9
- *
Package maintainers
-
@illustris Harikrishnan R <me@illustris.tech>