CVE-2025-5689
BaseFortify
Publication date: 2025-06-16
Last updated on: 2025-08-26
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | authd | to 0.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-5689 is a vulnerability in the authd package where a new user logging in via SSH for the first time is incorrectly assigned to the root group within that SSH session. This means the user gains unauthorized root-level privileges during that session, leading to a local privilege escalation. [1]
How can this vulnerability impact me? :
This vulnerability can allow an unauthorized user to gain root-level privileges during an SSH session, which can lead to unauthorized access and control over the system. It impacts confidentiality and integrity by allowing privilege escalation, but does not affect availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the version of the authd package installed on your system. If the version is prior to 0.5.4, your system is vulnerable. Use the command `dpkg -l | grep authd` on Ubuntu to check the installed version. Additionally, review SSH login sessions for any new users who might have been assigned root group privileges incorrectly. There are no specific commands provided to detect the vulnerability directly on the network. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade the authd package to version 0.5.4 or later where the flaw is fixed. As a workaround, you can disable authentication via authd by configuring the SSH server: set `UsePAM no` or `KbdInteractiveAuthentication no` in the `sshd_config` file. These steps prevent the vulnerable authentication method from being used. [1]