Brief Summary: CVE-2025-11561 SSSD Active Directory Authentication Bypass Vulnerability

This post provides a brief summary of CVE-2025-11561, a high-severity authentication bypass vulnerability affecting SSSD when integrated with Active Directory. The flaw allows attackers with AD attribute modification permissions to impersonate privileged users on Linux systems. Technical details, affected configurations, and references are included.
CVE Analysis

13 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-09

Brief Summary: CVE-2025-11561 SSSD Active Directory Authentication Bypass Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers with delegated permissions in Active Directory can gain unauthorized access to privileged Linux accounts without ever knowing their passwords. CVE-2025-11561 exposes a critical gap in how Linux systems integrated with Active Directory via SSSD handle Kerberos principal mapping, potentially enabling privilege escalation across enterprise environments [1][4].

SSSD (System Security Services Daemon) is a core component for Linux-Active Directory integration in enterprise environments. It is widely adopted in Red Hat Enterprise Linux and other major distributions, providing centralized authentication and identity management. Microsoft Active Directory is the dominant enterprise directory service, used by the majority of large organizations worldwide. The intersection of these technologies is foundational for cross-platform authentication and access control.

Technical Information

CVE-2025-11561 is rooted in the default configuration of SSSD when used for Active Directory integration. The vulnerability arises because the sssd_krb5_localauth_plugin, which is responsible for securely mapping Kerberos principals to local user names, is not enabled by default [2]. Without this plugin, SSSD and the underlying Kerberos libraries fall back to default principal-to-local name mapping logic. This typically involves stripping the realm from the Kerberos principal (e.g., mapping [email protected] to admin), which can be manipulated by attackers.

If an attacker has permission to modify the userPrincipalName or samAccountName attributes in Active Directory, they can set these attributes on an account they control to match the values of a privileged user (such as a Linux administrator). When the attacker authenticates to a Linux system using Kerberos, the absence of the local authorization plugin allows the principal to be mapped directly to the privileged local account. This results in unauthorized access or privilege escalation [1][4][7].

The vulnerability is present in SSSD's default configuration unless the sssd_krb5_localauth_plugin is explicitly enabled in the Kerberos configuration. SSSD creates a configuration snippet for the plugin in its public Kerberos configuration snippet directory, but administrators must ensure this directory is included in the active Kerberos configuration (typically in /etc/krb5.conf) [2][5].

The root cause is improper privilege management (CWE-269) due to insecure default principal mapping behavior when the plugin is not active [6]. Attackers leveraging this flaw must already have permissions to modify relevant AD attributes, which is a common scenario in environments with delegated administration [7].

Affected Systems and Versions

CVE-2025-11561 affects Linux systems integrated with Microsoft Active Directory using SSSD, specifically when the sssd_krb5_localauth_plugin is not enabled in the Kerberos configuration. The vulnerability is present in default SSSD configurations across major distributions, including Red Hat Enterprise Linux, unless the plugin is explicitly activated [1][2][5].

Affected configurations:

  • Any Linux system using SSSD for AD integration where the sssd_krb5_localauth_plugin is not enabled
  • Default deployments of SSSD as packaged by Red Hat and other vendors
  • All SSSD versions where this plugin is not enabled by default (no specific version range is provided in public sources)

Vendor Security History

Red Hat maintains SSSD as part of its supported enterprise Linux distributions. Previous research has identified privilege separation issues in SSSD, including escalation paths through helper binaries [9]. The SSSD project is actively maintained, and Red Hat coordinates vulnerability disclosures and documentation updates. For CVE-2025-11561, the vendor response focused on documentation and configuration guidance rather than a code patch, as the issue is considered a configuration hardening requirement [1][9].

References

Detect & fix
what others miss