CVE-2025-7493
Published: 30 September 2025
Summary
CVE-2025-7493 is a critical-severity Insufficient Granularity of Access Control (CWE-1220) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 29.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and IA-4 (Identifier Management).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation through application of vendor patches like RHSA-2025:17084 directly fixes the FreeIPA krbCanonicalName uniqueness validation flaw.
Mandates unique assignment and management of identifiers such as krbCanonicalName, preventing privilege escalation from name collisions like root@REALM.
Establishes account management processes to create, review, and modify FreeIPA host and admin accounts, avoiding improper krbCanonicalName configurations that enable domain administrator escalation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct privilege escalation from host-level to domain administrator via identity attribute validation flaw in FreeIPA/Kerberos.
NVD Description
A privilege escalation flaw from host to domain administrator was found in FreeIPA. This vulnerability is similar to CVE-2025-4404, where it fails to validate the uniqueness of the krbCanonicalName. While the previously released version added validations for the admin@REALM credential,…
more
FreeIPA still does not validate the root@REALM canonical name, which can also be used as the realm administrator's name. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration.
Deeper analysisAI
CVE-2025-7493 is a privilege escalation vulnerability in FreeIPA, published on 2025-09-30, arising from a failure to validate the uniqueness of the krbCanonicalName attribute. This flaw, similar to CVE-2025-4404, occurs because while validations were added for the admin@REALM credential in a prior release, FreeIPA does not validate the root@REALM canonical name, which can also serve as the realm administrator's name. It is associated with CWE-1220 and carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H).
An attacker with high privileges, such as host-level access (PR:H), can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation escalates privileges to domain administrator, enabling administrative tasks across the realm and resulting in scope change (S:C) with high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), including access to sensitive data and its exfiltration.
Red Hat has released security errata to address this issue, including RHSA-2025:17084, RHSA-2025:17085, RHSA-2025:17086, RHSA-2025:17087, and RHSA-2025:17088. Security practitioners should review and apply these updates promptly to mitigate the vulnerability.
Details
- CWE(s)