CVE-2025-11561

Sssd: sssd default kerberos configuration allows privilege escalation on ad-joined linux systems

Description

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

INFO

Published Date :

2025-10-09T13:37:53.089Z

Last Modified :

2026-03-19T17:18:09.567Z

Source :

redhat

AFFECTED PRODUCTS

The following products are affected by CVE-2025-11561 vulnerability.

Vendors	Products
Redhat	Ceph Storage Enterprise Linux Openshift Rhel Aus Rhel E4s Rhel Els Rhel Eus Rhel Eus Long Life Rhel Tus

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-11561.

URL	Resource
https://access.redhat.com/errata/RHSA-2025:19610
https://access.redhat.com/errata/RHSA-2025:19847
https://access.redhat.com/errata/RHSA-2025:19848
https://access.redhat.com/errata/RHSA-2025:19849
https://access.redhat.com/errata/RHSA-2025:19850
https://access.redhat.com/errata/RHSA-2025:19851
https://access.redhat.com/errata/RHSA-2025:19852
https://access.redhat.com/errata/RHSA-2025:19853
https://access.redhat.com/errata/RHSA-2025:19854
https://access.redhat.com/errata/RHSA-2025:19859
https://access.redhat.com/errata/RHSA-2025:20954
https://access.redhat.com/errata/RHSA-2025:21020
https://access.redhat.com/errata/RHSA-2025:21067
https://access.redhat.com/errata/RHSA-2025:21329
https://access.redhat.com/errata/RHSA-2025:21795
https://access.redhat.com/errata/RHSA-2025:22256
https://access.redhat.com/errata/RHSA-2025:22265
https://access.redhat.com/errata/RHSA-2025:22277
https://access.redhat.com/errata/RHSA-2025:22529
https://access.redhat.com/errata/RHSA-2025:22548
https://access.redhat.com/errata/RHSA-2025:22724
https://access.redhat.com/errata/RHSA-2025:23113
https://access.redhat.com/errata/RHSA-2026:0316
https://access.redhat.com/errata/RHSA-2026:0677
https://access.redhat.com/security/cve/CVE-2025-11561
https://blog.async.sg/kerberos-ldr
https://bugzilla.redhat.com/show_bug.cgi?id=2402727
https://github.com/SSSD/sssd/issues/8021
https://nvd.nist.gov/vuln/detail/CVE-2025-11561
https://www.cve.org/CVERecord?id=CVE-2025-11561

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact