CVE-2025-11561HIGH 8.8EPSS p50.7%

CVE-2025-11561CVE-2025-11561

Description

A flaw was found in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. In default configurations, the Kerberos local authentication plugin (sssd_krb5_localauth_plugin) is enabled, but a fallback to the an2ln plugin is possible. This fallback allows an attacker with permission to modify certain AD attributes (such as userPrincipalName or samAccountName) to impersonate privileged users, potentially resulting in unauthorized access or privilege escalation on domain-joined Linux hosts.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.77% probability of exploitation · percentile 50.7% · 2026-06-18T12:00:27Z
Published2025-10-09
Last modified2026-04-15

Underlying weaknesses· 1

CWE-269

References

  1. https://access.redhat.com/errata/RHSA-2025:19610
  2. https://access.redhat.com/errata/RHSA-2025:19847
  3. https://access.redhat.com/errata/RHSA-2025:19848
  4. https://access.redhat.com/errata/RHSA-2025:19849
  5. https://access.redhat.com/errata/RHSA-2025:19850
  6. https://access.redhat.com/errata/RHSA-2025:19851
  7. https://access.redhat.com/errata/RHSA-2025:19852
  8. https://access.redhat.com/errata/RHSA-2025:19853

1

TypeTargetConfidenceTier
WeaknessImproper Privilege Managementcwe-2690%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-21293
CVE
CVE-2025-21376
CVE
CVE-2026-25177
CVE
CVE-2025-5689
CVE
CVE-2025-26647
CVE
Microsoft Active Directory Domain Services Privilege Escalation Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.