Initiativen für
Als nationale Behörde für Cybersicherheit hat das ZCB mehrere Initiativen für bestimmte Zielgruppen entwickelt, die hier vorgestellt werden.
Warning: A critical vulnerability in SUSE Multi Linux Manager allows attackers to execute any command as root. Patch Immediately!
Image
Veröffentlicht : 31/07/2025
* Last update: 31/07/2025
* Affected software: SUSE Multi Linux Manager
* Type: Missing authentication for critical function
* CVE/CVSS
→ CVE-2025-46811: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Sources
- https://www.suse.com/security/cve/CVE-2025-46811.html
- https://www.suse.com/support/update/announcement/2025/suse-su-202502478-1/
Risks
SUSE disclosed a vulnerability in July 2025 affecting SUSE Multi Linux Manager.
SUSE Multi Linux Manager is a popular tool to automate patching, manage content lifecycle and monitor
Linux environments in real time.
CVE-2025-46811 is a flaw that, when exploited, could enable any remote unauthenticated attacker
connected to port 443 of the SUSE Manager to run any command as root on any client. Exploitation of
this vulnerability can have a high impact on confidentiality, integrity and availability.
There is no report of active exploitation (cut-off date: 31 July 2025).
Description
CVE-2025-46811 is a missing authentication for a critical function vulnerability. This flaw allows anyone
with access to the web socket at /rhn/websocket/minion/remote-commands to execute arbitrary
commands as root on any client, and without authentication. An attacker could exploit this vulnerability
for a full takeover.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
CVE-2025-46811 affects different products within the SUSE Manager product line. For a list of affected
products and their fixed package versions, consult https://www.suse.com/security/cve/CVE-2025-46811.html
Monitor/Detect
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.
Wordfence published a series of indicators of compromise that they observed carrying out exploitation attempts. Consult these indicators at https://www.wordfence.com/blog/2025/07/attackers-actively-exploiting-critical-vulnerability-in-alone-theme/
While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident