#VU117689 Improper privilege management in System Security Services Daemon (SSSD) - CVE-2025-11561
Published: October 28, 2025
Vulnerability identifier: #VU117689
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Green
CVE-ID: CVE-2025-11561
CWE-ID: CWE-269
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
System Security Services Daemon (SSSD)
System Security Services Daemon (SSSD)
Software vendor:
SSSD
SSSD
Description
The vulnerability allows a remote user to bypass authorization checks.
The vulnerability exists due to improper privilege management within the Active Directory integration feature. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.
Remediation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.