Improper privilege management in System Security Services Daemon (SSSD) - CVE-2025-11561
Published: October 28, 2025
Vulnerability identifier: #VU117689
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2025-11561
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: SSSD
Affected software:
System Security Services Daemon (SSSD)
System Security Services Daemon (SSSD)
Detailed vulnerability description
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper privilege management within the Active Directory integration feature. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
How to mitigate CVE-2025-11561
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.