Critical Vulnerability Information Vulnerability Identifier CVE ID: CVE-2025-11561 Severity CVSS v3 Base Score: 8.8 Severity Level: Important Description Vulnerability Description: A vulnerability has been identified in the use of SSSD with Active Directory and Linux systems. When the Kerberos local authentication plugin (sssd_krb5_locator_plugin) is configured to allow domain users to modify the primary or alternate username mapping of their AD account to a Linux host, it may lead to unauthorized access or privilege escalation. Affected Scope Affected Products and Services: - Red Hat Enterprise Linux 9: Affected - Red Hat Enterprise Linux 8: End of Life - Red Hat Enterprise Linux 7: Affected - Red Hat Enterprise Linux 6: Affected - Red Hat OpenShift Container Platform 4.x: Affected Mitigation Measures Recommended Configuration: Disable the Kerberos local authentication plugin, or configure in or the default included file to disable AD/LDAP providers. Apply vendor-provided updates and follow accompanying guidance. CVSS Score Details Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: High Availability Impact: High Weakness Understanding (CWE) CWE ID: CWE-269 Technical Impact: Control Flow: Authorization or Assumed Identity Acknowledgments Thank you to Zaver Lee for reporting this issue.