A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00116.

Exploitation none

Automatable no

Technical Impact total

Affected Vendors & Products

Vendors Products
Redhat
  • Enterprise Linux
  • Rhel Aus
  • Rhel E4s
  • Rhel Els
  • Rhel Eus
  • Rhel Tus

No data.

Package CPE Advisory Released Date
Red Hat Enterprise Linux 10
ipa-0:4.12.2-15.el10_0.1 cpe:/o:redhat:enterprise_linux:10.0 RHSA-2025:9190 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 7 Extended Lifecycle Support
ipa-0:4.6.8-5.el7_9.18 cpe:/o:redhat:rhel_els:7 RHSA-2025:9189 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8
idm:client-8100020250603150652.143e9e98 cpe:/a:redhat:enterprise_linux:8 RHSA-2025:9188 2025-06-17T00:00:00Z
idm:DL1-8100020250603134209.823393f5 cpe:/a:redhat:enterprise_linux:8 RHSA-2025:9188 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.2 Advanced Update Support
idm:client-8020020250609031831.50ea30f9 cpe:/a:redhat:rhel_aus:8.2 RHSA-2025:9194 2025-06-17T00:00:00Z
idm:DL1-8020020250609030144.792f4060 cpe:/a:redhat:rhel_aus:8.2 RHSA-2025:9194 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
idm:client-8040020250609101903.f153676a cpe:/a:redhat:rhel_aus:8.4 RHSA-2025:9193 2025-06-17T00:00:00Z
idm:DL1-8040020250609095221.5b01ab7e cpe:/a:redhat:rhel_aus:8.4 RHSA-2025:9193 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
idm:client-8060020250606060927.c1533a64 cpe:/a:redhat:rhel_aus:8.6 RHSA-2025:9192 2025-06-17T00:00:00Z
idm:DL1-8060020250606060504.ada582f1 cpe:/a:redhat:rhel_aus:8.6 RHSA-2025:9192 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Telecommunications Update Service
idm:client-8060020250606060927.c1533a64 cpe:/a:redhat:rhel_tus:8.6 RHSA-2025:9192 2025-06-17T00:00:00Z
idm:DL1-8060020250606060504.ada582f1 cpe:/a:redhat:rhel_tus:8.6 RHSA-2025:9192 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
idm:client-8060020250606060927.c1533a64 cpe:/a:redhat:rhel_e4s:8.6 RHSA-2025:9192 2025-06-17T00:00:00Z
idm:DL1-8060020250606060504.ada582f1 cpe:/a:redhat:rhel_e4s:8.6 RHSA-2025:9192 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.8 Telecommunications Update Service
idm:client-8080020250604195510.e581a9e4 cpe:/a:redhat:rhel_tus:8.8 RHSA-2025:9191 2025-06-17T00:00:00Z
idm:DL1-8080020250604202433.b0a6ceea cpe:/a:redhat:rhel_tus:8.8 RHSA-2025:9191 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
idm:client-8080020250604195510.e581a9e4 cpe:/a:redhat:rhel_e4s:8.8 RHSA-2025:9191 2025-06-17T00:00:00Z
idm:DL1-8080020250604202433.b0a6ceea cpe:/a:redhat:rhel_e4s:8.8 RHSA-2025:9191 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 9
ipa-0:4.12.2-14.el9_6.1 cpe:/a:redhat:enterprise_linux:9 RHSA-2025:9184 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions
ipa-0:4.9.8-11.el9_0.4 cpe:/a:redhat:rhel_e4s:9.0 RHSA-2025:9185 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions
ipa-0:4.10.1-12.el9_2.4 cpe:/a:redhat:rhel_e4s:9.2 RHSA-2025:9187 2025-06-17T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
ipa-0:4.11.0-15.el9_4.5 cpe:/a:redhat:rhel_eus:9.4 RHSA-2025:9186 2025-06-17T00:00:00Z

No data.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-18495 A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Fixes

Solution

No solution given by the vendor.

Workaround

No mitigation is currently available that meets Red Hat Product Security’s standards for usability, deployment, applicability, or stability.

References
Link Providers
https://access.redhat.com/errata/RHSA-2025:9184 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9185 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9186 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9187 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9188 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9189 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9190 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9191 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9192 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9193 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2025:9194 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2025-4404 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2364606 cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-4404 cve-icon
https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4 cve-icon cve-icon
https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e cve-icon cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-4404 cve-icon
History

Tue, 29 Jul 2025 18:15:00 +0000

Type Values Removed Values Added
References

Wed, 18 Jun 2025 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:enterprise_linux:8
cpe:/a:redhat:enterprise_linux:9
cpe:/a:redhat:rhel_aus:8.2
cpe:/a:redhat:rhel_aus:8.4
cpe:/a:redhat:rhel_aus:8.6
cpe:/a:redhat:rhel_e4s:8.6
cpe:/a:redhat:rhel_e4s:8.8
cpe:/a:redhat:rhel_e4s:9.0
cpe:/a:redhat:rhel_e4s:9.2
cpe:/a:redhat:rhel_eus:9.4
cpe:/a:redhat:rhel_tus:8.6
cpe:/a:redhat:rhel_tus:8.8
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 17 Jun 2025 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/o:redhat:enterprise_linux:8 cpe:/a:redhat:enterprise_linux:8::appstream
cpe:/a:redhat:rhel_aus:8.6::appstream
cpe:/a:redhat:rhel_e4s:8.6::appstream
cpe:/a:redhat:rhel_tus:8.6::appstream
References

Tue, 17 Jun 2025 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Eus
CPEs cpe:/o:redhat:enterprise_linux:10 cpe:/a:redhat:rhel_eus:9.4::appstream
cpe:/a:redhat:rhel_eus:9.4::crb
cpe:/o:redhat:enterprise_linux:10.0
Vendors & Products Redhat rhel Eus
References

Tue, 17 Jun 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel Aus
Redhat rhel Els
Redhat rhel Tus
CPEs cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:9		 cpe:/a:redhat:enterprise_linux:9::appstream
cpe:/a:redhat:enterprise_linux:9::crb
cpe:/a:redhat:rhel_aus:8.2::appstream
cpe:/a:redhat:rhel_aus:8.4::appstream
cpe:/a:redhat:rhel_e4s:8.8::appstream
cpe:/a:redhat:rhel_e4s:9.2::appstream
cpe:/a:redhat:rhel_tus:8.8::appstream
cpe:/o:redhat:rhel_els:7
Vendors & Products Redhat rhel Aus
Redhat rhel Els
Redhat rhel Tus
References

Tue, 17 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat rhel E4s
CPEs cpe:/a:redhat:rhel_e4s:9.0::appstream
Vendors & Products Redhat rhel E4s
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Jun 2025 14:00:00 +0000

Type Values Removed Values Added
Description A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Title Freeipa: idm: privilege escalation from host to domain admin in freeipa
First Time appeared Redhat
Redhat enterprise Linux
Weaknesses CWE-1220
CPEs cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-09-12T18:24:30.537Z

Reserved: 2025-05-06T22:17:12.623Z

Link: CVE-2025-4404

cve-icon Vulnrichment

Updated: 2025-06-17T14:00:12.194Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-06-17T14:15:32.743

Modified: 2025-07-29T18:15:29.983

Link: CVE-2025-4404

cve-icon Redhat

Severity : Important

Publid Date: 2025-06-17T00:00:00Z

Links: CVE-2025-4404 - Bugzilla

cve-icon OpenCVE Enrichment

No data.