Introduction
Remote attackers can execute arbitrary commands as root on unpatched SUSE Manager systems, including both on-premise and cloud deployments. This critical flaw impacts organizations relying on SUSE Manager for centralized Linux infrastructure management, putting entire environments at risk until patched.
About SUSE and SUSE Manager: SUSE is a leading enterprise Linux vendor with a global presence, serving thousands of organizations across industries. SUSE Manager is a flagship product for managing Linux servers at scale, automating patching, configuration, and compliance for heterogeneous environments. Its widespread use in enterprise and cloud settings means vulnerabilities in SUSE Manager can have broad operational impact.
Technical Information
CVE-2025-46811 is a missing authentication vulnerability in the websocket endpoint /rhn/websocket/minion/remote-commands within SUSE Manager. In affected versions, this endpoint does not enforce authentication, allowing any network-accessible user to send commands that are executed as root.
- Vulnerability mechanism: The websocket handler for remote commands fails to verify the identity or privileges of the connecting user. Any party able to reach the endpoint can issue arbitrary commands, which are executed with root privileges on the SUSE Manager server.
- Attack vector: Remote, network-based. No authentication or prior access is required. Attackers can interact directly with the websocket endpoint and send malicious payloads.
- Root cause: Absence of authentication logic in the websocket handler for
/rhn/websocket/minion/remote-commands. This exposes critical administrative functionality to unauthenticated users. - Classification: CWE-306 (Missing Authentication for Critical Function)
- No code snippets or PoC: No public code samples or proof of concept are available as of this writing.
Patch Information
To address the critical vulnerability identified as CVE-2025-46811, SUSE has released updates for the affected components. This vulnerability allowed unauthorized users to execute arbitrary commands as root via the websocket at /rhn/websocket/minion/remote-commands. The patch introduces stringent authentication mechanisms to prevent such unauthorized access.
Key Changes Implemented in the Patch:
-
Authentication Enforcement:
- The websocket endpoint now requires proper authentication tokens, ensuring that only authorized users can access and execute commands.
-
Access Control Enhancements:
- Role-based access controls have been refined to limit command execution capabilities to users with appropriate privileges.
-
Logging and Monitoring:
- Enhanced logging mechanisms have been integrated to monitor access and command execution, facilitating prompt detection of any unauthorized activities.
Code Snippet Illustrating the Authentication Enhancement:
// Pseudocode representation of the authentication check if (!request.hasValidAuthToken()) { response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Authentication Required"); return; }
Recommended Actions for Users:
-
Immediate Update:
- Users should promptly update their SUSE Manager installations to the latest versions where this vulnerability has been addressed. The specific versions containing the fix are detailed in the SUSE security advisories.
-
Review Access Controls:
- Administrators are advised to review and adjust user roles and permissions to ensure that only authorized personnel have access to critical functions.
-
Monitor System Logs:
- Regularly monitor system logs for any unusual activities, especially related to websocket connections and command executions.
For detailed information on the affected products and the specific package versions containing the fixes, please refer to the SUSE security advisories:
These advisories provide comprehensive details on the updates and instructions for applying them.
Detection Methods
Detecting unauthorized access through the /rhn/websocket/minion/remote-commands endpoint requires vigilant monitoring of network traffic and system logs. Security teams should implement the following strategies:
-
Network Traffic Analysis: Monitor for unusual or unauthorized connections to the
/rhn/websocket/minion/remote-commandsendpoint. An unexpected increase in traffic to this endpoint may indicate exploitation attempts. -
Log Inspection: Regularly review system and application logs for entries related to the execution of commands via the websocket. Look for anomalies such as commands executed without proper authentication or commands that deviate from normal operational patterns.
-
Anomaly Detection Systems: Deploy intrusion detection systems (IDS) or security information and event management (SIEM) solutions configured to alert on suspicious activities associated with the websocket endpoint.
By proactively monitoring these areas, organizations can identify and respond to potential exploitation of this vulnerability.
Affected Systems and Versions
The following products and versions are affected by CVE-2025-46811:
- Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: All versions before 0.3.7-150600.3.6.2
- Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: All versions before 5.0.14-150600.4.17.1
- Image SLES15-SP4-Manager-Server-4-3-BYOS: All versions before 4.3.33-150400.3.55.2
- Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: All versions before 4.3.33-150400.3.55.2
- Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: All versions before 4.3.33-150400.3.55.2
- Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: All versions before 4.3.33-150400.3.55.2
- SUSE Manager Server Module 4.3: All versions before 0.3.7-150400.3.39.4 and before 4.3.33-150400.3.55.2
Refer to the official advisories for the complete list of affected and fixed versions.
Vendor Security History
SUSE has a strong track record of rapid vulnerability response and transparent communication. Previous issues in SUSE Manager have included authentication and privilege escalation vulnerabilities, but the vendor typically releases patches quickly and provides detailed advisories. Their security maturity is considered high within the enterprise Linux ecosystem.