Warning: A critical vulnerability in SUSE Multi Linux Manager allows attackers to execute any command as root. Patch Immediately!

Image
Decorative image
Publié : 31/07/2025

    * Last update:  31/07/2025
   
    * Affected software: SUSE Multi Linux Manager
 
    * Type: Missing authentication for critical function
 
    * CVE/CVSS
        → CVE-2025-46811: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

Sources

Risks

SUSE disclosed a vulnerability in July 2025 affecting SUSE Multi Linux Manager.

SUSE Multi Linux Manager is a popular tool to automate patching, manage content lifecycle and monitor
Linux environments in real time.

CVE-2025-46811 is a flaw that, when exploited, could enable any remote unauthenticated attacker
connected to port 443 of the SUSE Manager to run any command as root on any client. Exploitation of
this vulnerability can have a high impact on confidentiality, integrity and availability.

There is no report of active exploitation (cut-off date: 31 July 2025).

Description

CVE-2025-46811 is a missing authentication for a critical function vulnerability. This flaw allows anyone
with access to the web socket at /rhn/websocket/minion/remote-commands to execute arbitrary
commands as root on any client, and without authentication. An attacker could exploit this vulnerability
for a full takeover.

Recommended Actions

 Patch

The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.

CVE-2025-46811 affects different products within the SUSE Manager product line. For a list of affected
products and their fixed package versions, consult https://www.suse.com/security/cve/CVE-2025-46811.html

Monitor/Detect 
  
The CCB recommends organisations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

Wordfence published a series of indicators of compromise that they observed carrying out exploitation attempts. Consult these indicators at https://www.wordfence.com/blog/2025/07/attackers-actively-exploiting-critical-vulnerability-in-alone-theme/

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident

References

 
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-46811