CVE-2025-46811

A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.87-150400.3.110.2; SUSE Manager Server Module 4.3: from ? before 4.3.87-150400.3.110.2.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-46811

Configurations

No configuration.

History

03 Sep 2025, 07:15

Type	Values Removed	Values Added
CWE	~~CWE-306~~	CWE-862
Summary	(en) A Missing Authentication for Critical Function vulnerability in SUSE Manager allows anyone with access to the websocket at /rhn/websocket/minion/remote-commands to execute arbitrary commands as root. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 0.3.7-150600.3.6.2; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.14-150600.4.17.1; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.14-150600.4.17.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: from ? before 0.3.7-150400.3.39.4; SUSE Manager Server Module 4.3: from ? before 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: from ? before 4.3.33-150400.3.55.2.	(en) A Missing Authorization vulnerability in SUSE Linux Manager allows anyone with the ability to connect to port 443 of SUSE Manager is able to run any command as root on any client. This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.27-150600.3.33.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.87-150400.3.110.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.87-150400.3.110.2; SUSE Manager Server Module 4.3: from ? before 4.3.87-150400.3.110.2.

31 Jul 2025, 18:42

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad de Autenticación Inexistente para Funciones Críticas en SUSE Manager permite que cualquier persona con acceso al websocket en /rhn/websocket/minion/remote-commands ejecute comandos arbitrarios como root. Este problema afecta a Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: desde ? anterior a 0.3.7-150600.3.6.2; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: desde ? anterior a 5.0.14-150600.4.17.1; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: desde ? anterior a 5.0.14-150600.4.17.1; Imagen SLES15-SP4-Manager-Server-4-3-BYOS: de ? anterior a 4.3.33-150400.3.55.2; Imagen SLES15-SP4-Manager-Server-4-3-BYOS: de ? anterior a 4.3.33-150400.3.55.2; Imagen SLES15-SP4-Manager-Server-4-3-BYOS-Azure: de ? anterior a 4.3.33-150400.3.55.2; Imagen SLES15-SP4-Manager-Server-4-3-BYOS-Azure: de ? anterior a 4.3.33-150400.3.55.2; Imagen SLES15-SP4-Manager-Server-4-3-BYOS-EC2: de ? anterior a 4.3.33-150400.3.55.2; Imagen SLES15-SP4-Manager-Server-4-3-BYOS-EC2: de ? anterior a 4.3.33-150400.3.55.2; Imagen SLES15-SP4-Manager-Server-4-3-BYOS-GCE: de ? anterior a 4.3.33-150400.3.55.2; Imagen SLES15-SP4-Manager-Server-4-3-BYOS-GCE: de ? anterior a 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: de ? anterior a 0.3.7-150400.3.39.4; SUSE Manager Server Module 4.3: de ? anterior a 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: de ? antes del 4.3.33-150400.3.55.2.

30 Jul 2025, 15:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-07-30 15:15

Updated : 2025-09-03 07:15

NVD link : CVE-2025-46811

Mitre link : CVE-2025-46811

CVE.ORG link : CVE-2025-46811

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

9.8 /10