CVE-2025-7493
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-30

Last updated on: 2025-11-04

Assigner: Red Hat, Inc.

Description
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-30
Last Modified
2025-11-04
Generated
2026-05-07
AI Q&A
2025-09-30
EPSS Evaluated
2026-05-05
NVD
CVE-2025-7493
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 9.0
redhat enterprise_linux 8.2
redhat enterprise_linux 10
redhat enterprise_linux 9.2
redhat enterprise_linux 8.6
redhat freeipa *
redhat enterprise_linux 7
redhat enterprise_linux 9.4
redhat enterprise_linux 8.8
redhat enterprise_linux 8.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1220 The product implements access controls via a policy or other feature with the intention to disable or restrict accesses (reads and/or writes) to assets in a system from untrusted agents. However, implemented access controls lack required granularity, which renders the control policy too broad because it allows accesses from unauthorized agents to the security-sensitive assets.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-7493 is a high-severity privilege escalation vulnerability in FreeIPA's Identity Management component. It allows an attacker who is already logged in on a host to escalate their privileges to become a domain administrator by exploiting a flaw related to the validation of the krbCanonicalName LDAP attribute. Specifically, FreeIPA fails to validate the uniqueness of the root@REALM canonical name, which can be used as the realm administrator's name, enabling unauthorized administrative access. [1]


How can this vulnerability impact me? :

This vulnerability can allow an attacker to gain domain administrator privileges within FreeIPA, leading to unauthorized administrative control over the REALM. This can result in access to sensitive data and the potential exfiltration of that data, severely compromising the security of the affected systems and networks. [1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that you apply any available patches or updates from your FreeIPA vendor as soon as possible. Since the vulnerability requires an attacker to be logged in to exploit it, restrict and monitor access to FreeIPA hosts, and review administrative privileges carefully. Additionally, verify the validation of the krbCanonicalName attribute, especially for the root@REALM canonical name, to prevent unauthorized privilege escalation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart