Red Hat has thanked Positive Technologies' PT SWARM expert Mikhail Sukhov for identifying a critical vulnerability in FreeIPA, a domain controller for Linux systems. FreeIPA enables centralized management of user accounts, access policies, and auditing. It is included in the Red Hat Enterprise Linux distribution, used by over 2,000 organizations worldwide, and forms the foundation for IT products from various vendors, including domestic ones. If exploited, the vulnerability could have allowed attackers to steal confidential company data. The vendor was notified of the threat in line with the responsible disclosure policy and has already released software patches.
The vulnerability, identified as CVE-2025-4404 (BDU:2025-04863), affected FreeIPA versions 4.12.2 and 4.12.3. It received a critical severity score of 9.4 out of 10 on the CVSS 4.0 scale. Exploiting the vulnerability could have allowed attackers to escalate their privileges to domain administrator, granting them access to sensitive company data.
To mitigate the issue, organizations must update FreeIPA to version 4.12.4. For those unable to install the patch, Positive Technologies recommends additional user rights checks. This includes enabling mandatory PAC1 usage on all servers managing Kerberos authentication. Additionally, the krbCanonicalName attribute for the administrator account should be set to admin@REALM.LOCAL, ensuring the system correctly identifies privileged users.
FreeIPA is open source software considered a strong alternative to Microsoft's Active Directory. The project is supported by a developer community and Red Hat, whose services are used by 90% of Fortune Global 500 companies. FreeIPA is currently deployed in over 500 organizations worldwide.