CVE-2025-4404 - Vulnerability Details

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00128.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Redhat Subscribe	Enterprise Linux Subscribe Rhel Aus Subscribe Rhel E4s Subscribe Rhel Els Subscribe Rhel Eus Subscribe Rhel Tus Subscribe

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 10
ipa-0:4.12.2-15.el10_0.1	cpe:/o:redhat:enterprise_linux:10.0	RHSA-2025:9190	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
ipa-0:4.6.8-5.el7_9.18	cpe:/o:redhat:rhel_els:7	RHSA-2025:9189	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8
idm:client-8100020250603150652.143e9e98	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:9188	2025-06-17T00:00:00Z
idm:DL1-8100020250603134209.823393f5	cpe:/a:redhat:enterprise_linux:8	RHSA-2025:9188	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
idm:client-8020020250609031831.50ea30f9	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:9194	2025-06-17T00:00:00Z
idm:DL1-8020020250609030144.792f4060	cpe:/a:redhat:rhel_aus:8.2	RHSA-2025:9194	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
idm:client-8040020250609101903.f153676a	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:9193	2025-06-17T00:00:00Z
idm:DL1-8040020250609095221.5b01ab7e	cpe:/a:redhat:rhel_aus:8.4	RHSA-2025:9193	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
idm:client-8060020250606060927.c1533a64	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:9192	2025-06-17T00:00:00Z
idm:DL1-8060020250606060504.ada582f1	cpe:/a:redhat:rhel_aus:8.6	RHSA-2025:9192	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
idm:client-8060020250606060927.c1533a64	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:9192	2025-06-17T00:00:00Z
idm:DL1-8060020250606060504.ada582f1	cpe:/a:redhat:rhel_tus:8.6	RHSA-2025:9192	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
idm:client-8060020250606060927.c1533a64	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:9192	2025-06-17T00:00:00Z
idm:DL1-8060020250606060504.ada582f1	cpe:/a:redhat:rhel_e4s:8.6	RHSA-2025:9192	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.8 Telecommunications Update Service
idm:client-8080020250604195510.e581a9e4	cpe:/a:redhat:rhel_tus:8.8	RHSA-2025:9191	2025-06-17T00:00:00Z
idm:DL1-8080020250604202433.b0a6ceea	cpe:/a:redhat:rhel_tus:8.8	RHSA-2025:9191	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
idm:client-8080020250604195510.e581a9e4	cpe:/a:redhat:rhel_e4s:8.8	RHSA-2025:9191	2025-06-17T00:00:00Z
idm:DL1-8080020250604202433.b0a6ceea	cpe:/a:redhat:rhel_e4s:8.8	RHSA-2025:9191	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 9
ipa-0:4.12.2-14.el9_6.1	cpe:/a:redhat:enterprise_linux:9	RHSA-2025:9184	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
ipa-0:4.9.8-11.el9_0.4	cpe:/a:redhat:rhel_e4s:9.0	RHSA-2025:9185	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
ipa-0:4.10.1-12.el9_2.4	cpe:/a:redhat:rhel_e4s:9.2	RHSA-2025:9187	2025-06-17T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
ipa-0:4.11.0-15.el9_4.5	cpe:/a:redhat:rhel_eus:9.4	RHSA-2025:9186	2025-06-17T00:00:00Z

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2025-18495	A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Fixes

Solution

No solution given by the vendor.

Workaround

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2025/09/30/6
https://access.redhat.com/errata/RHSA-2025:9184
https://access.redhat.com/errata/RHSA-2025:9185
https://access.redhat.com/errata/RHSA-2025:9186
https://access.redhat.com/errata/RHSA-2025:9187
https://access.redhat.com/errata/RHSA-2025:9188
https://access.redhat.com/errata/RHSA-2025:9189
https://access.redhat.com/errata/RHSA-2025:9190
https://access.redhat.com/errata/RHSA-2025:9191
https://access.redhat.com/errata/RHSA-2025:9192
https://access.redhat.com/errata/RHSA-2025:9193
https://access.redhat.com/errata/RHSA-2025:9194
https://access.redhat.com/security/cve/CVE-2025-4404
https://bugzilla.redhat.com/show_bug.cgi?id=2364606
https://nvd.nist.gov/vuln/detail/CVE-2025-4404
https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4
https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e
https://www.cve.org/CVERecord?id=CVE-2025-4404

History

Wed, 05 Nov 2025 07:30:00 +0900

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2025/09/30/6

Wed, 30 Jul 2025 03:15:00 +0900

Type	Values Removed	Values Added
References		https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4 https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e

Thu, 19 Jun 2025 00:00:00 +0900

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:9 cpe:/a:redhat:rhel_aus:8.2 cpe:/a:redhat:rhel_aus:8.4 cpe:/a:redhat:rhel_aus:8.6 cpe:/a:redhat:rhel_e4s:8.6 cpe:/a:redhat:rhel_e4s:8.8 cpe:/a:redhat:rhel_e4s:9.0 cpe:/a:redhat:rhel_e4s:9.2 cpe:/a:redhat:rhel_eus:9.4 cpe:/a:redhat:rhel_tus:8.6 cpe:/a:redhat:rhel_tus:8.8
References		https://nvd.nist.gov/vuln/detail/CVE-2025-4404 https://www.cve.org/CVERecord?id=CVE-2025-4404
Metrics	threat_severity `None`	threat_severity `Important`

Wed, 18 Jun 2025 00:15:00 +0900

Type	Values Removed	Values Added
CPEs	~~cpe:/o:redhat:enterprise_linux:8~~	cpe:/a:redhat:enterprise_linux:8::appstream cpe:/a:redhat:rhel_aus:8.6::appstream cpe:/a:redhat:rhel_e4s:8.6::appstream cpe:/a:redhat:rhel_tus:8.6::appstream
References		https://access.redhat.com/errata/RHSA-2025:9188 https://access.redhat.com/errata/RHSA-2025:9192

Wed, 18 Jun 2025 00:00:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs	~~cpe:/o:redhat:enterprise_linux:10~~	cpe:/a:redhat:rhel_eus:9.4::appstream cpe:/a:redhat:rhel_eus:9.4::crb cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products		Redhat rhel Eus
References		https://access.redhat.com/errata/RHSA-2025:9186 https://access.redhat.com/errata/RHSA-2025:9190

Tue, 17 Jun 2025 23:45:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Aus Redhat rhel Els Redhat rhel Tus
CPEs	cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:9	cpe:/a:redhat:enterprise_linux:9::appstream cpe:/a:redhat:enterprise_linux:9::crb cpe:/a:redhat:rhel_aus:8.2::appstream cpe:/a:redhat:rhel_aus:8.4::appstream cpe:/a:redhat:rhel_e4s:8.8::appstream cpe:/a:redhat:rhel_e4s:9.2::appstream cpe:/a:redhat:rhel_tus:8.8::appstream cpe:/o:redhat:rhel_els:7
Vendors & Products		Redhat rhel Aus Redhat rhel Els Redhat rhel Tus
References		https://access.redhat.com/errata/RHSA-2025:9184 https://access.redhat.com/errata/RHSA-2025:9187 https://access.redhat.com/errata/RHSA-2025:9189 https://access.redhat.com/errata/RHSA-2025:9191 https://access.redhat.com/errata/RHSA-2025:9193 https://access.redhat.com/errata/RHSA-2025:9194

Tue, 17 Jun 2025 23:15:00 +0900

Type	Values Removed	Values Added
First Time appeared		Redhat rhel E4s
CPEs		cpe:/a:redhat:rhel_e4s:9.0::appstream
Vendors & Products		Redhat rhel E4s
References		https://access.redhat.com/errata/RHSA-2025:9185
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 17 Jun 2025 23:00:00 +0900

Type	Values Removed	Values Added
Description		A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Title		Freeipa: idm: privilege escalation from host to domain admin in freeipa
First Time appeared		Redhat Redhat enterprise Linux
Weaknesses		CWE-1220
CPEs		cpe:/o:redhat:enterprise_linux:10 cpe:/o:redhat:enterprise_linux:6 cpe:/o:redhat:enterprise_linux:7 cpe:/o:redhat:enterprise_linux:8 cpe:/o:redhat:enterprise_linux:9
Vendors & Products		Redhat Redhat enterprise Linux
References		https://access.redhat.com/security/cve/CVE-2025-4404 https://bugzilla.redhat.com/show_bug.cgi?id=2364606
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}`

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2025-06-17T13:39:17.945Z

Updated: 2025-11-06T21:03:41.016Z

Reserved: 2025-05-06T22:17:12.623Z

Link: CVE-2025-4404

Vulnrichment

Updated: 2025-11-04T21:10:45.625Z

NVD

Status : Awaiting Analysis

Published: 2025-06-17T14:15:32.743

Modified: 2025-11-04T22:16:19.523

Link: CVE-2025-4404

Redhat

Severity : Important

Publid Date: 2025-06-17T00:00:00Z

Links: CVE-2025-4404 - Bugzilla

OpenCVE Enrichment

No data.

Weaknesses

CWE-1220

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Projects

JSON object

JSON object

JSON object

JSON object

JSON object