CVE-2025-11561 is a vulnerability discovered in the integration between Active Directory and the System Security Services Daemon (SSSD) on Linux systems, notably Red Hat Enterprise Linux 10. The issue stems from the default configuration where the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled. This plugin is designed to authenticate users locally using Kerberos tickets. However, if this plugin fails, the system falls back to the an2ln plugin, which can be manipulated by an attacker who has permissions to modify specific Active Directory attributes such as userPrincipalName or samAccountName. By altering these attributes, the attacker can impersonate privileged users, effectively bypassing normal authentication controls and gaining unauthorized elevated privileges on domain-joined Linux hosts. This vulnerability impacts the confidentiality, integrity, and availability of affected systems by allowing privilege escalation and unauthorized access. The CVSS 3.1 base score of 8.8 indicates a high severity, with network attack vector, low attack complexity, and privileges required but no user interaction needed. The scope remains unchanged, meaning the vulnerability affects only the vulnerable component. While no exploits have been reported in the wild yet, the vulnerability's nature and ease of exploitation make it a critical concern for organizations using AD-SSSD integration for authentication on Linux systems.

The vulnerability allows attackers with limited privileges in Active Directory to escalate their privileges on domain-joined Linux hosts by impersonating privileged users. This can lead to unauthorized access to sensitive systems and data, potentially compromising confidentiality and integrity. The ability to escalate privileges without user interaction and remotely over the network increases the risk of widespread exploitation. Organizations relying on Red Hat Enterprise Linux 10 with AD integration are at risk of lateral movement and persistent footholds within their networks. This can facilitate further attacks such as data exfiltration, disruption of services, or deployment of malware. The impact extends to any environment where Linux systems are domain-joined and use SSSD for authentication, including enterprise, government, and cloud infrastructures.

1. Immediately apply any patches or updates released by Red Hat addressing CVE-2025-11561 once available. 2. Review and harden Active Directory permissions to restrict modification rights on sensitive attributes like userPrincipalName and samAccountName to trusted administrators only. 3. Disable or restrict fallback authentication plugins such as an2ln in SSSD configuration if not required, to prevent fallback exploitation. 4. Implement monitoring and alerting on changes to critical AD attributes and anomalous authentication attempts on Linux hosts. 5. Use multi-factor authentication (MFA) where possible to add an additional layer of security beyond AD credentials. 6. Conduct regular audits of domain-joined Linux hosts to verify correct SSSD configurations and detect unauthorized privilege escalations. 7. Employ network segmentation and least privilege principles to limit the impact of compromised accounts. 8. Educate administrators on the risks of attribute modifications and enforce strict change management policies.