CVE-2025-23222
Published: 24 January 2025
Summary
CVE-2025-23222 is a high-severity Improper Verification of Source of a Communication Channel (CWE-940) vulnerability in Suse (inferred from references). Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 23.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces least privilege on the dde-api-proxy, preventing it from running as root and allowing unprivileged users to invoke privileged D-Bus methods.
Requires the proxy to enforce access control policies, blocking unauthorized forwarding of D-Bus messages from unprivileged users to root-level services.
Controls information flow through the proxy, restricting unprivileged users from sending messages that access legacy privileged D-Bus methods.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local privilege escalation vulnerability allowing unprivileged users to invoke root-restricted D-Bus methods via a misconfigured proxy, directly enabling exploitation for privilege escalation to root/admin.
NVD Description
An issue was discovered in Deepin dde-api-proxy through 1.0.19 in which unprivileged users can access D-Bus services as root. Specifically, dde-api-proxy runs as root and forwards messages from arbitrary local users to legacy D-Bus methods in the actual D-Bus services,…
more
and the actual D-Bus services don't know about the proxy situation (they believe that root is asking them to do things). Consequently several proxied methods, that shouldn't be accessible to non-root users, are accessible to non-root users. In situations where Polkit is involved, the caller would be treated as admin, resulting in a similar escalation of privileges.
Deeper analysisAI
CVE-2025-23222 is a privilege escalation vulnerability affecting Deepin dde-api-proxy through version 1.0.19. The dde-api-proxy runs as root and forwards D-Bus messages from arbitrary local unprivileged users to legacy D-Bus methods in actual D-Bus services. These services are unaware of the proxy and treat the requests as originating from root, enabling unprivileged users to access proxied methods that should be restricted to root. When Polkit is involved, the caller is treated as an admin, resulting in privilege escalation. The issue carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-940.
The vulnerability can be exploited by local unprivileged attackers requiring no special privileges. By sending crafted messages through the dde-api-proxy, attackers can invoke privileged D-Bus methods, achieving high impacts on confidentiality, integrity, and availability, effectively escalating privileges to root or admin levels.
Advisories addressing CVE-2025-23222 include the SUSE Bugzilla entry at https://bugzilla.suse.com/show_bug.cgi?id=1229918, the openSUSE security notice at https://security.opensuse.org/2025/01/24/dde-api-proxy-privilege-escalation.html, and the OSS-Security mailing list discussion at https://www.openwall.com/lists/oss-security/2025/01/24/3.
Details
- CWE(s)