CVE-2025-11561 Overview
A privilege escalation vulnerability has been identified in the integration of Active Directory and the System Security Services Daemon (SSSD) on Linux systems. The flaw resides in the Kerberos local authentication plugin (sssd_krb5_localauth_plugin), which is enabled by default in standard configurations. A dangerous fallback mechanism to the an2ln plugin allows attackers who can modify specific Active Directory attributes to impersonate privileged users on domain-joined Linux hosts.
This vulnerability is particularly concerning for enterprise environments where Linux systems are integrated with Active Directory for centralized authentication. An attacker with even limited Active Directory permissions—specifically the ability to modify userPrincipalName or samAccountName attributes—can leverage this flaw to escalate privileges and gain unauthorized access to sensitive resources.
Critical Impact
Attackers with permission to modify AD attributes can impersonate privileged users, leading to unauthorized access or privilege escalation on domain-joined Linux hosts.
Affected Products
- Linux systems running SSSD with Active Directory integration
- Systems using the default sssd_krb5_localauth_plugin configuration
- Domain-joined Linux hosts with Kerberos authentication enabled
Discovery Timeline
- October 9, 2025 - CVE-2025-11561 published to NVD
- March 19, 2026 - Last updated in NVD database
Technical Details for CVE-2025-11561
Vulnerability Analysis
The vulnerability stems from improper privilege management (CWE-269) in the SSSD Kerberos authentication workflow. When SSSD processes Kerberos authentication requests, it relies on the sssd_krb5_localauth_plugin to map Kerberos principals to local user accounts. However, the implementation allows a fallback to the an2ln (authenticated name to local name) plugin when the primary plugin fails to resolve a principal.
This fallback mechanism does not adequately validate the integrity of AD attribute mappings, creating a security gap that can be exploited. The an2ln plugin performs principal-to-local-user translation using AD attributes that may be controllable by lower-privileged users in certain AD configurations.
The vulnerability can be exploited over the network and requires low privileges—specifically, the ability to modify certain AD attributes. No user interaction is required for successful exploitation, and a successful attack can result in complete compromise of confidentiality, integrity, and availability on the affected Linux host.
Root Cause
The root cause is insufficient validation in the SSSD authentication chain when falling back from the sssd_krb5_localauth_plugin to the an2ln plugin. The fallback mechanism trusts AD attribute values (specifically userPrincipalName and samAccountName) without proper verification that the mapping corresponds to the authenticated user's actual identity.
In environments where delegation of attribute modification exists—even for seemingly non-sensitive attributes—attackers can manipulate these values to create mappings that associate their Kerberos principal with privileged local accounts such as root or service accounts.
Attack Vector
The attack leverages network-accessible Active Directory services combined with the SSSD fallback authentication mechanism. An attacker with the ability to modify AD attributes follows this attack pattern:
- The attacker identifies a domain-joined Linux host using SSSD for AD authentication
- Using their existing AD credentials, the attacker modifies their userPrincipalName or samAccountName attribute to match that of a privileged user
- When authenticating to the Linux host, the sssd_krb5_localauth_plugin processes the request but triggers the fallback to an2ln
- The an2ln plugin resolves the attacker's manipulated principal to the privileged local account
- The attacker gains access with the privileges of the impersonated user
The attack requires network access to the target system and valid AD credentials with attribute modification permissions. For detailed technical analysis of the Kerberos LDR (Local Domain Resolution) mechanisms involved, refer to the Async Blog on Kerberos LDR.
Detection Methods for CVE-2025-11561
Indicators of Compromise
- Unusual modifications to userPrincipalName or samAccountName attributes in Active Directory logs
- Authentication events where the authenticated principal does not match expected user-to-host mappings
- SSSD debug logs showing fallback from sssd_krb5_localauth_plugin to an2ln plugin
- Privilege escalation attempts following AD attribute changes on domain-joined Linux systems
Detection Strategies
- Enable and monitor SSSD debug logging to identify authentication plugin fallback events
- Implement Active Directory auditing for attribute modifications on user objects, particularly userPrincipalName and samAccountName
- Deploy SentinelOne agents on domain-joined Linux hosts to detect anomalous authentication patterns and privilege escalation attempts
- Cross-correlate AD attribute change events with subsequent Linux authentication logs for the same user principal
Monitoring Recommendations
- Configure alerting on AD attribute modifications for sensitive attributes using your SIEM solution
- Monitor SSSD authentication logs for unexpected plugin fallback behavior using /var/log/sssd/ log files
- Implement behavioral analysis for user accounts authenticating to systems they do not normally access
- Track correlation between AD object changes and subsequent privilege escalation indicators on Linux endpoints
How to Mitigate CVE-2025-11561
Immediate Actions Required
- Apply security patches from Red Hat or your Linux distribution immediately
- Review SSSD configuration to disable or restrict fallback to the an2ln plugin where possible
- Audit Active Directory permissions to identify and restrict accounts with unnecessary attribute modification rights
- Enable enhanced logging on SSSD and AD domain controllers to detect exploitation attempts
Patch Information
Red Hat has released multiple security advisories addressing this vulnerability. Organizations should apply the appropriate patches based on their Red Hat Enterprise Linux version:
Additional advisories and updates can be found at the Red Hat CVE Information page for CVE-2025-11561. For upstream issue tracking, see SSSD GitHub Issue #8021.
Workarounds
- Restrict delegation of AD attribute modification permissions to trusted administrators only
- Configure SSSD to use explicit principal-to-user mappings rather than relying on automatic resolution
- Implement network segmentation to limit access to domain-joined Linux hosts from untrusted network segments
- Consider disabling the an2ln plugin fallback in SSSD configuration if compatibility permits
# SSSD configuration hardening example
# Add to /etc/sssd/sssd.conf under [domain/YOUR_DOMAIN] section
# Increase logging for authentication events
debug_level = 6
# Restrict authentication to specific user groups
access_provider = simple
simple_allow_groups = linux_admins, linux_users
# Review and restart SSSD after changes
sudo systemctl restart sssd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
