CVE-2025-46811: Critical Authentication Bypass in SUSE Manager Allows Root Command Execution

SUSE Manager, a widely used systems management solution, has a critical vulnerability that could allow attackers to execute arbitrary commands as root without authentication. This vulnerability, identified as CVE-2025-46811, poses a significant risk to systems managed by vulnerable versions of SUSE Manager.

Vulnerability Details

CVE ID: CVE-2025-46811
Description: A Missing Authentication for Critical Function vulnerability in SUSE Manager allows anyone with access to the websocket at /rhn/websocket/minion/remote-commands to execute arbitrary commands as root.
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Explanation: This CVSS vector indicates that the vulnerability is remotely exploitable with low complexity, no privileges required, and no user interaction needed. Successful exploitation leads to complete compromise of confidentiality, integrity, and availability. An attacker can remotely take full control of the affected system.
Exploit Requirements: Network access to the SUSE Manager server and access to the vulnerable websocket endpoint.

Affected Products

Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: before 0.3.7-150600.3.6.2
Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: before 5.0.14-150600.4.17.1
Image SLES15-SP4-Manager-Server-4-3-BYOS: before 4.3.33-150400.3.55.2
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: before 4.3.33-150400.3.55.2
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: before 4.3.33-150400.3.55.2
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: before 4.3.33-150400.3.55.2
SUSE Manager Server Module 4.3: before 0.3.7-150400.3.39.4
SUSE Manager Server Module 4.3: before 4.3.33-150400.3.55.2

CWE

CWE-306: Missing Authentication for Critical Function
CWE Explanation: This CWE describes a situation where a critical function is performed without requiring authentication. This allows unauthorized users to execute privileged operations, leading to potential compromise of the system.

Timeline of Events

2025-07-30: CVE-2025-46811 Published

Exploitability & Real-World Risk

This vulnerability is highly exploitable because it requires no authentication. An attacker can simply send commands to the /rhn/websocket/minion/remote-commands endpoint to execute arbitrary commands as root. In a real-world scenario, an attacker could leverage this vulnerability to install malware, exfiltrate sensitive data, or disrupt critical services. Given the widespread use of SUSE Manager in enterprise environments, this poses a significant risk.

Recommendations

Apply the latest patches: Upgrade SUSE Manager server and modules to the latest versions as soon as possible.
Restrict network access: Ensure that access to the SUSE Manager server is restricted to authorized networks and users.
Monitor for suspicious activity: Implement monitoring and alerting mechanisms to detect and respond to any suspicious activity on the SUSE Manager server.

Technical Insight

The vulnerability exists because the websocket endpoint at /rhn/websocket/minion/remote-commands lacks proper authentication. This allows anyone who can connect to the websocket to send commands that are then executed as root. This is a critical design flaw that should have been addressed with proper authentication mechanisms.

Credit to Researcher(s)

The researcher(s) who discovered and reported this vulnerability are not explicitly mentioned in the provided information.

References

SUSE Bugzilla: CVE-2025-46811

CVE-2025-46811: Critical Authentication Bypass in SUSE Manager Allows Root Command Execution

CVE-2025-46811: Critical Authentication Bypass in SUSE Manager Allows Root Command Execution

Vulnerability Details

Affected Products

CWE

Timeline of Events

Exploitability & Real-World Risk

Recommendations

Technical Insight

Credit to Researcher(s)

References

Tags

Timeline

References

Post a Comment

Contact Form