Description: A Local Privilege Escalation (LPE) vulnerability has been discovered in pam-config within Linux Pluggable Authentication Modules (PAM). This flaw allows an unprivileged local attacker (for example, a user logged in via SSH) to obtain the elevated privileges normally reserved for a physically present, "allow_active" user. The highest risk is that the attacker can then perform all allow_active yes Polkit actions, which are typically restricted to console users, potentially gaining unauthorized control over system configurations, services, or other sensitive operations.
The **CVSS Base Score** is a score from **0 to 10** that represents the intrinsic severity of a vulnerability. A higher score indicates greater severity.
Database CWE: v4.18
CWE-863: Incorrect Authorization ↗
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Fonte: MITRE CWE
The **EPSS (Exploit Prediction Scoring System)** is a score from **0 to 1** that indicates the **probability** that a vulnerability will be exploited in the real world in the next 30 days. A higher value indicates a greater likelihood of exploitation.
The **Percentile** indicates how much higher this vulnerability's EPSS score is compared to all other vulnerabilities in the EPSS database. For example, a percentile of 0.90 (90%) means that 90% of vulnerabilities have an EPSS score equal to or lower than the current one.
*Data updated as of: 2025-12-27
The **CISA KEV Catalog** lists vulnerabilities that have been **actively exploited in the real world**. If a CVE is present in this catalog, it indicates that the threat is immediate and mitigation should be a top priority.
CVE **CVE-2025-6018** is not present in the CISA KEV Catalog. This indicates that it is not currently classified by CISA as an actively exploited vulnerability.