Bug 2389448 (CVE-2025-7493)

Summary: CVE-2025-7493 FreeIPA: idm: Privilege escalation from host to domain admin in FreeIPA
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abokovoy, frenaud, ftrivino, ozgamesio23, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2025-09-30   

Description OSIDB Bzimport 2025-08-19 17:22:33 UTC 
Although CVE-2025-4404 fixed the lack of verification for the uniqueness of the LDAP attribute krbCanonicalName in FreeIPA, it doesn't prevent to achieve the same privilege escalation by using the the root kbrcanonicalname.
Comment 1 errata-xmlrpc 2025-09-30 16:25:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:17086 https://access.redhat.com/errata/RHSA-2025:17086
Comment 2 errata-xmlrpc 2025-09-30 16:39:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:17087 https://access.redhat.com/errata/RHSA-2025:17087
Comment 3 errata-xmlrpc 2025-09-30 16:49:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:17085 https://access.redhat.com/errata/RHSA-2025:17085
Comment 4 errata-xmlrpc 2025-09-30 16:56:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:17088 https://access.redhat.com/errata/RHSA-2025:17088
Comment 5 errata-xmlrpc 2025-09-30 17:23:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:17084 https://access.redhat.com/errata/RHSA-2025:17084
Comment 7 errata-xmlrpc 2025-10-01 06:27:05 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:17129 https://access.redhat.com/errata/RHSA-2025:17129
Comment 9 Manker Grip 2025-10-07 04:55:39 UTC 
(In reply to errata-xmlrpc from comment #7)
> This issue has been addressed in the following products:
> 
>   Red Hat Enterprise Linux 8 https://ozgames.io
> 
> Via RHSA-2025:17129 https://access.redhat.com/errata/RHSA-2025:17129

Thanks for the update. Looks like this issue (CVE-2025-7493) has now been patched across multiple RHEL versions — 8, 9, 9.4 EUS, and 10 — through the respective errata (RHSA-2025:17084, 17085, 17088, and 17129). Good to see consistent coverage across supported releases.

Just to confirm: does this fix fully address the LDAP krbCanonicalName privilege escalation vector mentioned in CVE-2025-4404, or are there additional mitigations required on FreeIPA deployments?
Comment 10 Alexander Bokovoy 2025-10-07 08:06:04 UTC 
Please read the upstream release notes for 4.12.5, they have all the details. 
https://www.freeipa.org/release-notes/4-12-5.html

The security releases in RHEL and Fedora follow those details in addressing both CVE-2025-4404 and CVE-2025-7493.
Comment 11 errata-xmlrpc 2025-10-09 08:01:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:17647 https://access.redhat.com/errata/RHSA-2025:17647
Comment 12 errata-xmlrpc 2025-10-09 08:02:09 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support

Via RHSA-2025:17648 https://access.redhat.com/errata/RHSA-2025:17648
Comment 13 errata-xmlrpc 2025-10-09 08:11:18 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:17645 https://access.redhat.com/errata/RHSA-2025:17645
Comment 14 errata-xmlrpc 2025-10-09 08:14:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:17646 https://access.redhat.com/errata/RHSA-2025:17646
Comment 15 errata-xmlrpc 2025-10-09 08:14:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:17649 https://access.redhat.com/errata/RHSA-2025:17649
Comment 16 errata-xmlrpc 2025-11-11 13:51:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:20928 https://access.redhat.com/errata/RHSA-2025:20928
Comment 17 errata-xmlrpc 2025-11-11 19:11:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:20994 https://access.redhat.com/errata/RHSA-2025:20994