Home/CVE/A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE
CVE

CVE-2025-7493

A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE

A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential, FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name.

This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.

CRITICAL · CVSS 9.1 EPSS 0.00122
Act now
  • Public exploit or PoC is available
  • CVSS base score ≥ 7.0
Sigma rules0 YARA rules0
Look this up elsewhere - one-click external pivots
NVDCVE.orgCISAVulnersExploit-DBGitHub PoCVulnCheck KEVGreyNoise
How to read a CVE - triage first, then detect and patch
This page is every public fact about CVE-2025-7493, cross-linked. Its job is to answer one question fast - does this need my attention now? - and then hand you the two things you do about it. Here is how an analyst reads it.
Triage: should I act now? Four signals, and they are not interchangeable:
CVSSseverity - how bad it is IF exploited, 0-10. A high CVSS alone is not urgency; a flaw can be a perfect 10 and never actually be attacked. EPSSprobability - a model’s estimate of the chance it is exploited in the next 30 days, 0-1. This is the “will it actually happen” signal. CISA KEVconfirmed - it is being exploited in the wild right now. The strongest signal on the page; KEV beats any score. Weaponisedavailability - public exploits / PoCs, and especially Metasploit modules rated Excellent / Great. Reliable, packaged exploit code means low-skill attackers can use it today.
How they combine: KEV, or a dependable Metasploit module, means patch now regardless of CVSS. High CVSS + low EPSS + no exploit is real but not an emergency - schedule it. Low CVSS but KEV-listed still gets patched now. The verdict above already weighed these for you; this is how it got there.
Then what - two workflows:
Detectwhen you cannot patch today, follow this CVE to the ATT&CK techniques it enables, then Build a SIEM detection (the green button) - author a rule, test it in Atomic, deploy it. That buys visibility while the patch waits. PatchAffected products / packages tell you if you are exposed; Fixed versions by distribution and Vendor advisories give the exact version that closes it.
Reading order for the panels below: verdict + badges, then Public exploits / Metasploit (is it weaponised), then ATT&CK techniques + Sigma / IDS rules (can I detect it), then Affected products / packages + Fixed versions (am I exposed, what patches it), then Threat actors / IOCs (who uses it), then Scoring & timeline / references (the evidence).

ATT&CK techniques

1

Techniques this CVE enables - linked via CWECAPECATT&CK. High◆ = named directly in ATT&CK or Nuclei templates.

T1574.010 · Services File Permissions Weakness
▤ Build a SIEM detection for these techniques

CAPEC attack patterns

2

Attack patterns this CVE enables - the bridge from weakness to ATT&CK technique.

CAPEC-CAPEC-1 · Accessing Functionality Not Properly Constrained by ACLs CAPEC-CAPEC-180 · Exploiting Incorrectly Configured Access Control Security Levels

Weakness Classification

CWE-1220Insufficient Granularity of Access Control

Public Exploits & PoCs

2
These PoC and exploit links come from public sources and are not verified to be safe or functional. Review the code before running anything, and treat unverified entries as untrusted.
pocARPSyndicate/cve-scores (trickest)
pocfkie-cad/nvd-json-data-feeds (trickest)
📦

Fixed versions by distribution

80
The package version that resolves this CVE on each Linux distribution, from the vendor’s published security data. fixed in shows a patched version exists; open means the package is listed as affected with no fix yet.
oracle allbind-dyndb-ldap fixed in 0:11.6-6.module+el8.10.0+90553+1bd85afa
oracle allcustodia open
oracle allipa-client open
oracle allipa-client-common open
oracle allipa-client-encrypted-dns fixed in 0:4.12.2-14.0.1.el9_6.5
oracle allipa-client-epn open
oracle allipa-client-samba fixed in 0:4.12.2-14.0.1.el9_6.5
oracle allipa-common fixed in 0:4.12.2-14.0.1.el9_6.5
oracle allipa-healthcheck fixed in 0:0.12-6.module+el8.10.0+90676+16d53ab4
oracle allipa-healthcheck-core open
oracle allipa-python-compat open
oracle allipa-selinux open
oracle allipa-selinux-luna fixed in 0:4.12.2-14.0.1.el9_6.5
oracle allipa-selinux-nfast open
oracle allipa-server fixed in 0:4.12.2-14.0.1.el9_6.5
oracle allipa-server-common open
oracle allipa-server-dns fixed in 0:4.12.2-14.0.1.el9_6.5
oracle allipa-server-encrypted-dns fixed in 0:4.12.2-14.0.1.el9_6.5
oracle allipa-server-trust-ad open
oracle allopendnssec open
oracle allpython2-ipaclient fixed in 0:4.6.8-5.0.5.el7_9.17
oracle allpython2-ipalib fixed in 0:4.6.8-5.0.5.el7_9.17
oracle allpython2-ipaserver fixed in 0:4.6.8-5.0.5.el7_9.17
oracle allpython3-custodia open
oracle allpython3-ipaclient open
oracle allpython3-ipalib open
oracle allpython3-ipaserver open
oracle allpython3-ipatests open
oracle allpython3-jwcrypto fixed in 0:0.5.0-2.module+el8.10.0+90573+7d6bd8da
oracle allpython3-kdcproxy open
oracle allpython3-pyusb fixed in 0:1.0.0-9.1.module+el8.9.0+90094+20819f5a
oracle allpython3-qrcode open
oracle allpython3-qrcode-core fixed in 0:5.3-1.module+el8.10.0+90676+16d53ab4
oracle allpython3-yubico fixed in 0:1.3.2-9.1.module+el8.9.0+90094+20819f5a
oracle allslapi-nis open
oracle allsofthsm open
oracle allsofthsm-devel open
rhel 8bind-dyndb-ldap fixed in 0:11.6-6.module+el8.10.0+23009+91fb337e
rhel 8custodia fixed in 0:0.6.0-3.module+el8.9.0+18911+94941f82
rhel 8ipa-client fixed in 0:4.9.13-20.module+el8.10.0+23537+32c82745
rhel 8ipa-client-common fixed in 0:4.9.13-20.module+el8.10.0+23534+744f3864
rhel 8ipa-client-epn open
rhel 8ipa-client-samba fixed in 0:4.9.13-20.module+el8.10.0+23534+744f3864
rhel 8ipa-common open
rhel 8ipa-healthcheck open
rhel 8ipa-healthcheck-core open
rhel 8ipa-python-compat fixed in 0:4.9.13-20.module+el8.10.0+23534+744f3864
rhel 8ipa-selinux open
rhel 8ipa-server fixed in 0:4.9.13-20.module+el8.10.0+23534+744f3864
rhel 8ipa-server-common fixed in 0:4.9.13-20.module+el8.10.0+23534+744f3864
rhel 8ipa-server-dns fixed in 0:4.9.13-20.module+el8.10.0+23534+744f3864
rhel 8ipa-server-trust-ad fixed in 0:4.9.13-20.module+el8.10.0+23534+744f3864
rhel 8opendnssec open
rhel 8python3-custodia fixed in 0:0.6.0-3.module+el8.9.0+18911+94941f82
rhel 8python3-ipaclient fixed in 0:4.9.13-20.module+el8.10.0+23537+32c82745
rhel 8python3-ipalib fixed in 0:4.9.13-20.module+el8.10.0+23537+32c82745
rhel 8python3-ipaserver open
rhel 8python3-ipatests fixed in 0:4.9.13-20.module+el8.10.0+23534+744f3864
rhel 8python3-jwcrypto open
rhel 8python3-kdcproxy fixed in 0:0.4-5.module+el8.10.0+22564+098ba143.1
rhel 8python3-pyusb fixed in 0:1.0.0-9.1.module+el8.9.0+18911+94941f82
rhel 8python3-qrcode open
rhel 8python3-qrcode-core fixed in 0:5.3-1.module+el8.10.0+22544+6a7f07c2
rhel 8python3-yubico fixed in 0:1.3.2-9.1.module+el8.9.0+18920+2223d05e
rhel 8slapi-nis fixed in 0:0.60.0-4.module+el8.10.0+20723+03062ebd
rhel 8softhsm open
rhel 8softhsm-devel fixed in 0:2.6.0-5.module+el8.9.0+18911+94941f82
rhel 9ipa-client open
rhel 9ipa-client-common open
rhel 9ipa-client-encrypted-dns open
rhel 9ipa-client-epn open
rhel 9ipa-client-samba fixed in 0:4.12.2-22.el9_7.1
rhel 9ipa-common fixed in 0:4.12.2-22.el9_7.1
rhel 9ipa-selinux fixed in 0:4.12.2-22.el9_7.1
rhel 9ipa-selinux-luna fixed in 0:4.12.2-22.el9_7.1
rhel 9ipa-selinux-nfast fixed in 0:4.12.2-22.el9_7.1
rhel 9ipa-server open
rhel 9ipa-server-common open
rhel 9ipa-server-dns fixed in 0:4.12.2-22.el9_7.1
rhel 9ipa-server-encrypted-dns fixed in 0:4.12.2-22.el9_7.1

Scoring & Timeline

9.1
CRITICAL · CVSS v3.1 · [email protected]
View on NVD
Attack Vector
Network Adjacent Local Physical
Attack Complexity
Low High
Privileges Required
None Low High
User Interaction
None Required
Scope
Unchanged Changed
Confidentiality
None Low High
Integrity
None Low High
Availability
None Low High
Published to NVD30 Sep 2025 · 03:15 PM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SSVC triage · cisa-vulnrichment
Exploitation
none
Automatable
no
Technical impact
total
SSVC asks the questions that actually drive patch urgency: is it being exploited, can attacks be automated, and how total is the impact.

Vendor Advisories

13
rhsaRHSA-2025:20928Important
rhsaRHSA-2025:17129Important
rhsaRHSA-2025:17646Important
rhsaRHSA-2025:17645Important
rhsaRHSA-2025:17648Important
🔗

References & Sources

3
Source URLs (vendor pages, mailing lists, write-ups). Exploit/PoC links are in their own section above to avoid duplication.
https://access.redhat.com/security/cve/CVE-2025-7493
https://bugzilla.redhat.com/show_bug.cgi?id=2389448
http://www.openwall.com/lists/oss-security/2025/09/30/6
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh