CVE-2025-9615 Overview
A flaw was found in NetworkManager that allows improper file access control. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system's network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection.
Critical Impact
Local attackers with low privileges may be able to access confidential information belonging to other users through NetworkManager's elevated daemon privileges.
Affected Products
- NetworkManager (all affected versions)
Discovery Timeline
- 2026-01-26 - CVE-2025-9615 published to NVD
- 2026-01-27 - Last updated in NVD database
Technical Details for CVE-2025-9615
Vulnerability Analysis
This vulnerability is classified under CWE-281 (Improper Preservation of Permissions), indicating a fundamental design flaw in how NetworkManager handles file access permissions. The core issue stems from the privilege separation model implemented in NetworkManager, where the daemon component operates with root-level privileges to manage system network configurations.
When a non-root user creates or modifies network connections, NetworkManager processes these requests through its privileged daemon. The flaw allows the daemon to access files owned by users other than the one who initiated the connection configuration. This creates an information disclosure risk where sensitive file contents could be exposed to unauthorized users.
The attack requires local access and low privileges, making it primarily a concern in multi-user environments where different users share the same system. While the confidentiality impact is limited in scope, the vulnerability represents a break in the expected privilege boundaries within the NetworkManager architecture.
Root Cause
The root cause is improper preservation of permissions (CWE-281) in NetworkManager's daemon process. When non-root users configure network connections, the daemon fails to properly restrict file access to only those files owned by or accessible to the requesting user. Instead, the daemon uses its root privileges to access files without adequately verifying the original user's permission to access those files.
Attack Vector
The attack requires local access to a system running a vulnerable version of NetworkManager. An attacker with a low-privileged local account could potentially craft network configuration requests that cause the NetworkManager daemon to read files belonging to other users on the system. Since the daemon operates with root privileges, it can access any file on the system, and this access may be leveraged to disclose information to the requesting user who would not otherwise have permission to read those files.
The local attack vector means remote exploitation is not possible without first obtaining local system access through other means.
Detection Methods for CVE-2025-9615
Indicators of Compromise
- Unusual NetworkManager configuration changes from non-administrative users
- Unexpected file access patterns in system logs related to NetworkManager daemon processes
- Anomalous network connection profiles referencing file paths outside expected configuration directories
Detection Strategies
- Monitor NetworkManager daemon (NetworkManager) process for unusual file access operations using auditd or similar tools
- Review system authentication logs for non-root users making frequent or unusual network configuration changes
- Implement file integrity monitoring on sensitive system directories that should not be accessed by NetworkManager
Monitoring Recommendations
- Enable verbose logging for NetworkManager to track connection configuration changes
- Deploy endpoint detection to monitor for privilege escalation attempts involving NetworkManager
- Audit user permissions and network configuration capabilities on multi-user systems
How to Mitigate CVE-2025-9615
Immediate Actions Required
- Review which users have permission to configure network connections via NetworkManager
- Restrict NetworkManager configuration capabilities to trusted administrators where possible
- Apply vendor patches when available from your Linux distribution
Patch Information
Red Hat has acknowledged this vulnerability and is tracking it through their security advisory system. Technical details and patch progress can be found in the Red Hat CVE-2025-9615 Advisory and Red Hat Bug Report #2391503.
The upstream NetworkManager project has addressed this issue through merge requests. For detailed patch information, refer to:
Workarounds
- Limit which users can modify network configurations by adjusting PolicyKit rules for NetworkManager
- Consider using alternative network configuration methods for sensitive multi-user environments until patches are applied
- Implement strict user access controls to limit potential attackers' ability to exploit this vulnerability
# Example: Restrict NetworkManager permissions via PolicyKit
# Create or modify /etc/polkit-1/rules.d/50-networkmanager.rules
# to limit which users can modify network settings
cat << 'EOF' > /etc/polkit-1/rules.d/50-networkmanager-restrict.rules
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.freedesktop.NetworkManager") == 0 &&
!subject.isInGroup("wheel")) {
return polkit.Result.NO;
}
});
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
