CVE-2025-11561

8.8 HIGH

Published: October 09, 2025 Modified: December 11, 2025

Description

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://access.redhat.com/errata/RHSA-2025:19610

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19847

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19848

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19849

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19850

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19851

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19852

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19853

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19854

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:19859

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:20954

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:21020

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:21067

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:21329

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:21795

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:22256

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:22265

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:22277

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:22529

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:22548

Source: secalert@redhat.com

https://access.redhat.com/errata/RHSA-2025:22724

Source: secalert@redhat.com

https://access.redhat.com/security/cve/CVE-2025-11561

Source: secalert@redhat.com

https://blog.async.sg/kerberos-ldr

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=2402727

Source: secalert@redhat.com

24 reference(s) from NVD

Quick Stats

CVSS v3 Score

8.8 / 10.0

EPSS (Exploit Probability)

0.2%

39th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-269

Related CVEs

CVE-2025-69261 N/A

CVE-2025-69257 6.7

CVE-2025-69210 N/A

CVE-2025-66823 N/A

CVE-2025-50343 N/A