Critical Vulnerability Patched in FreeIPA Domain Controller for Linux Systems

Red Dog Security

16 Jul 2025 — 1 min read

Red Hat has issued a patch for a critical vulnerability in FreeIPA, a widely used domain controller for Linux systems. The flaw—CVE-2025-4404, rated CVSS 9.4—was discovered by Mikhail Sukhov, a researcher at Positive Technologies.

FreeIPA is commonly deployed to manage user identities, authentication policies, and audit logging across enterprise Linux environments.

Key Details

Affected Versions: FreeIPA 4.12.2 and 4.12.3
Impact:
An attacker with access to credentials from a compromised domain-joined machine can:
- Extract authentication keys from system files
- Escalate privileges to domain administrator
- Gain control over all user accounts and organizational resources
Root Cause:
A 2020 update removed the krbCanonicalName attribute, which was originally intended to prevent privilege escalation. This change introduced a new attack vector.

Exploitation Scenario

An attacker compromises a domain-joined machine account.
They access sensitive key files on the system.
They use those keys to forge Kerberos tickets and impersonate a domain administrator (e.g., [email protected]).

Mitigation

Patch

Upgrade to FreeIPA 4.12.4, which addresses the vulnerability.

🔧 Workaround (If Patching Is Delayed):

Enforce Privilege Attribute Certificate (PAC) validation on Kerberos servers.
Manually set [email protected] for admin accounts to block ticket forgery.

Why This Matters

FreeIPA is bundled with Red Hat Enterprise Linux, a platform used by over 2,000 organizations worldwide. It also underpins identity services in products from other vendors, including those in Russia.

Unpatched systems risk complete domain compromise, potentially allowing attackers to override access controls and exfiltrate sensitive data.

Expert Quote

"This flaw could turn a single compromised machine into a gateway for domain-wide control. Organizations must prioritize updates or enforce strict Kerberos PAC checks."
— Mikhail Sukhov, Positive Technologies

Action Items

Patch immediately if running FreeIPA ≤ 4.12.3
Audit Kerberos configurations to ensure PAC enforcement
Monitor logs for suspicious authentication or privilege escalation activity

Adobe Commerce and Magento Vulnerability Allows Account Takeover

Adobe has disclosed a critical vulnerability (CVE-2025-54236) affecting its Commerce and Magento platforms. Researchers have dubbed the flaw SessionReaper, describing it as one of the most serious bugs in the history of these products. The issue has been assigned a CVSS severity score of 9.1 out of 10. According

Plex Urges Users to Reset Passwords After Data Breach

Plex, the streaming media platform, is warning customers to reset their passwords immediately following a security breach that exposed user authentication data. “An unauthorized third party accessed a limited subset of user data from one of our databases,” Plex wrote in its notification to users. “Although we quickly contained the

Enthusiasts Have Created a Darwin Award for Artificial Intelligence

Nominations are now open for the Darwin Award in Artificial Intelligence. The goal of the award’s creators is not to mock AI itself, but to highlight the consequences of using it without caution or foresight. For context, the original Darwin Award is a satirical “anti-award” that emerged in Usenet

12 Erroneous Certificates Were Issued for Cloudflare's DNS Service 1.1.1.1

Last week it was revealed that a little-known certificate authority (CA), Fina, had improperly issued 12 TLS certificates for 1.1.1.1—Cloudflare’s popular DNS service—between February 2024 and August 2025. These certificates were created without Cloudflare’s permission and could have been used to decrypt requests