It's time for another round of vulnerabilities discovered in the wild. This time, it's two local privilege escalation (LPE) vulnerabilities that affect SSH and libblockdev – both of which are found in most major Linux distributions.

The vulnerabilities in question are CVE-2025-6018 (which allows a hacker to impersonate a user via SSH) and CVE-2025-6019 (which is exploitable via the udisks service and allows a user to escalate access to root privileges).

Pumpkin Chang, a security researcher at DEVCORE who focuses on Linux kernel security, discusses these issues in depth in his blog. Chang explains D-Bus and Polkit and how these mechanisms are leveraged to perform certain operations by impersonating actual users.

Additionally, a report from Qualys' senior manager, Saeed Abbasi, discusses both LPE flaws. Abbassi says, “These modern ‘local-to-root’ exploits have collapsed the gap between an ordinary logged-in user and a full system takeover.”

Abbasi continues, "By chaining legitimate services such as udisks loop-mounts and PAM/environment quirks, attackers who own any active GUI or SSH session can vault across polkit’s allow_active trust zone and emerge as root in seconds." Finally, he adds, "Nothing exotic is required: each link is pre-installed on mainstream Linux distros and their server builds."

The key here is "Nothing exotic is required." In other words, these vulnerabilities don't require any non-standard tools to exploit.

As far as mitigation is concerned, Abbassi states, "To mitigate this vulnerability, modify the polkit rule for ‘org.freedesktop.udisks2.modify-device’. Change the allow_active setting from yes to auth_admin."