CVE-2025-4404

A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.1 CRITICAL
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
redhatCNA
9.1 CRITICAL
NETWORK
LOW
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA-ADPADP
---
---
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
Vulnerability Media Exposure
References
https://access.redhat.com/errata/RHSA-2025:9184
https://access.redhat.com/errata/RHSA-2025:9185
https://access.redhat.com/errata/RHSA-2025:9186
https://access.redhat.com/errata/RHSA-2025:9187
https://access.redhat.com/errata/RHSA-2025:9188
https://access.redhat.com/errata/RHSA-2025:9189
https://access.redhat.com/errata/RHSA-2025:9190
https://access.redhat.com/errata/RHSA-2025:9191
https://access.redhat.com/errata/RHSA-2025:9192
https://access.redhat.com/errata/RHSA-2025:9193
https://access.redhat.com/errata/RHSA-2025:9194
https://access.redhat.com/security/cve/CVE-2025-4404
https://bugzilla.redhat.com/show_bug.cgi?id=2364606