CVE-2025-4404

Home/CVE/A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to

CVE

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the krbCanonicalName for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential.

This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

CRITICAL · CVSS 9.1 EPSS 0.00293

Act now

Public exploit or PoC is available
CVSS base score ≥ 7.0

Sigma rules0 YARA rules0

Look this up elsewhere - one-click external pivots

NVD CVE.org CISA Vulners Exploit-DB GitHub PoC VulnCheck KEV GreyNoise

▸ How to read a CVE - triage first, then detect and patch

This page is every public fact about CVE-2025-4404, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.

Triage: should I act now? Four signals, and they are not interchangeable:

CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.

How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.

Then what - two workflows:

Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.

Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

View attack path from CVE-2025-4404

◆

ATT&CK techniques

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1574.010 · Services File Permissions Weakness

▤ Build a SIEM detection for these techniques

▤

CAPEC attack patterns

Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.

CAPEC-CAPEC-1 · Accessing Functionality Not Properly Constrained by ACLs CAPEC-CAPEC-180 · Exploiting Incorrectly Configured Access Control Security Levels

⬡

Weakness Classification

CWE-1220Insufficient Granularity of Access Control

⚠

Public Exploits & PoCs

These PoC and exploit links come from public sources and are not verified to be safe or functional. Review the code before running anything, and treat unverified entries as untrusted.
pocIm10n/CVE-2025-4404-POC (nomi-sec)
pocARPSyndicate/cve-scores (trickest)
pocCyxow/CVE-2025-4404-POC (trickest)
pocPuddinCat/GithubRepoSpider (trickest)
pocfkie-cad/nvd-json-data-feeds (trickest)
pocnomi-sec/PoC-in-GitHub (trickest)
pocyembors64632/cve_monitor_Public (trickest)
pocyembors64632/cve_monitor_public (trickest)

📦

Fixed versions by distribution

The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
oracle allbind-dyndb-ldap open
oracle allcustodia open
oracle allipa-client open
oracle allipa-client-common fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allipa-client-encrypted-dns fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allipa-client-epn open
oracle allipa-client-samba fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allipa-common fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allipa-healthcheck open
oracle allipa-healthcheck-core fixed in 0:0.12-5.module+el8.10.0+90621+268b66c9
oracle allipa-python-compat open
oracle allipa-selinux open
oracle allipa-selinux-luna fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allipa-selinux-nfast open
oracle allipa-server fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allipa-server-common open
oracle allipa-server-dns open
oracle allipa-server-encrypted-dns open
oracle allipa-server-trust-ad fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allopendnssec open
oracle allpython2-ipaclient fixed in 0:4.6.8-5.0.3.el7_9.17
oracle allpython2-ipalib fixed in 0:4.6.8-5.0.3.el7_9.17
oracle allpython2-ipaserver open
oracle allpython3-custodia fixed in 0:0.6.0-3.module+el8.9.0+90094+20819f5a
oracle allpython3-ipaclient open
oracle allpython3-ipalib open
oracle allpython3-ipaserver fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allpython3-ipatests fixed in 0:4.12.2-14.0.1.el9_6.1
oracle allpython3-jwcrypto fixed in 0:0.5.0-2.module+el8.10.0+90573+7d6bd8da
oracle allpython3-kdcproxy open
oracle allpython3-pyusb open
oracle allpython3-qrcode fixed in 0:5.3-1.module+el8.10.0+90621+268b66c9
oracle allpython3-qrcode-core fixed in 0:5.3-1.module+el8.10.0+90621+268b66c9
oracle allpython3-yubico open
oracle allslapi-nis fixed in 0:0.60.0-4.module+el8.10.0+90297+bfe93ccc
oracle allsofthsm open
oracle allsofthsm-devel fixed in 0:2.6.0-5.module+el8.9.0+90094+20819f5a
rhel 8bind-dyndb-ldap open
rhel 8custodia fixed in 0:0.6.0-3.module+el8.9.0+18911+94941f82
rhel 8ipa-client fixed in 0:4.9.13-18.module+el8.10.0+23182+cbb72bb2
rhel 8ipa-client-common fixed in 0:4.9.13-18.module+el8.10.0+23183+85190b0c
rhel 8ipa-client-epn fixed in 0:4.9.13-18.module+el8.10.0+23182+cbb72bb2
rhel 8ipa-client-samba fixed in 0:4.9.13-18.module+el8.10.0+23183+85190b0c
rhel 8ipa-common open
rhel 8ipa-healthcheck open
rhel 8ipa-healthcheck-core open
rhel 8ipa-python-compat fixed in 0:4.9.13-18.module+el8.10.0+23183+85190b0c
rhel 8ipa-selinux fixed in 0:4.9.13-18.module+el8.10.0+23183+85190b0c
rhel 8ipa-server fixed in 0:4.9.13-18.module+el8.10.0+23182+cbb72bb2
rhel 8ipa-server-common open
rhel 8ipa-server-dns fixed in 0:4.9.13-18.module+el8.10.0+23182+cbb72bb2
rhel 8ipa-server-trust-ad fixed in 0:4.9.13-18.module+el8.10.0+23182+cbb72bb2
rhel 8opendnssec open
rhel 8python3-custodia open
rhel 8python3-ipaclient fixed in 0:4.9.13-18.module+el8.10.0+23182+cbb72bb2
rhel 8python3-ipalib open
rhel 8python3-ipaserver open
rhel 8python3-ipatests fixed in 0:4.9.13-18.module+el8.10.0+23182+cbb72bb2
rhel 8python3-jwcrypto open
rhel 8python3-kdcproxy open
rhel 8python3-pyusb open
rhel 8python3-qrcode fixed in 0:5.3-1.module+el8.10.0+22543+0dae60ab
rhel 8python3-qrcode-core open
rhel 8python3-yubico open
rhel 8slapi-nis open
rhel 8softhsm fixed in 0:2.6.0-5.module+el8.9.0+18911+94941f82
rhel 8softhsm-devel open
rhel 9ipa-client open
rhel 9ipa-client-common open
rhel 9ipa-client-encrypted-dns open
rhel 9ipa-client-epn fixed in 0:4.12.2-14.el9_6.1
rhel 9ipa-client-samba fixed in 0:4.12.2-14.el9_6.1
rhel 9ipa-common fixed in 0:4.12.2-14.el9_6.1
rhel 9ipa-selinux fixed in 0:4.12.2-14.el9_6.1
rhel 9ipa-selinux-luna open
rhel 9ipa-selinux-nfast fixed in 0:4.12.2-14.el9_6.1
rhel 9ipa-server fixed in 0:4.12.2-14.el9_6.1
rhel 9ipa-server-common open
rhel 9ipa-server-dns open
rhel 9ipa-server-encrypted-dns fixed in 0:4.12.2-14.el9_6.1

▣

Scoring & Timeline

9.1

CRITICAL · CVSS v3.1 · [email protected]

View on NVD

Attack Vector

Network Adjacent Local Physical

Attack Complexity

Low High

Privileges Required

None Low High

User Interaction

None Required

Scope

Unchanged Changed

Confidentiality

None Low High

Integrity

None Low High

Availability

None Low High

Published to NVD17 Jun 2025 · 02:15 PM

CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

SSVC triage · cisa-vulnrichment

Exploitation

none

Automatable

Technical impact

total

SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

⚑

Vendor Advisories

rhsaRHSA-2025:20994Important
rhsaRHSA-2025:20928Important
rhsaRHSA-2025:17645Important
rhsaRHSA-2025:17649Important
rhsaRHSA-2025:17646Important
Show all 24 vendor advisoriesrhsaRHSA-2025:17648Important
rhsaRHSA-2025:17647Important
rhsaRHSA-2025:17088Important
rhsaRHSA-2025:17129Important
rhsaRHSA-2025:17087Important
rhsaRHSA-2025:17086Important
rhsaRHSA-2025:17085Important
rhsaRHSA-2025:17084Important
rhsaRHSA-2025:9193Important
rhsaRHSA-2025:9192Important
rhsaRHSA-2025:9184Important
rhsaRHSA-2025:9194Important
rhsaRHSA-2025:9186Important
rhsaRHSA-2025:9185Important
rhsaRHSA-2025:9188Important
rhsaRHSA-2025:9187Important
rhsaRHSA-2025:9189Important
rhsaRHSA-2025:9191Important
rhsaRHSA-2025:9190Important

🔗

References & Sources

Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.

https://access.redhat.com/security/cve/CVE-2025-4404

https://bugzilla.redhat.com/show_bug.cgi?id=2364606

https://pagure.io/freeipa/c/6b9400c135ed16b10057b350cc9ce42aa0e862d4

https://pagure.io/freeipa/c/796ed20092d554ee0c9e23295e346ec1e8a0bf6e

http://www.openwall.com/lists/oss-security/2025/09/30/6