Script-only privilege escalation chain using CVE-2025-6019 and UDisks2 (no filesystem image included).
This repository does not introduce a new vulnerability. The privilege-escalation technique implemented here is fully based on previously published research. I could not find an existing script that operates without on-target image creation, which motivated the creation of this automation script.
The root cause analysis, exploitation workflow, and mitigation guidance were researched and disclosed by the original CVE authors:
๐ https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
All credit goes to the original researchers for the discovery and responsible disclosure.
Exploit Chain Overview
This script is not a standalone exploit and must be used as part of a chained attack path.
CVE-2025-6018 must be exploited first This step is required to obtain the correct execution context and D-Bus permissions. This repository does not provide an exploit for CVE-2025-6018. However you may find suitable exploit using the following link:
๐ https://www.exploit-db.com/exploits/52386
After successful exploitation of CVE-2025-6018, the attacker gains the ability to interact with:
org.freedesktop.login1 org.freedesktop.UDisks2
A crafted sequence of gdbus and udisks operations is then used to trigger a logic flaw, resulting in a privileged filesystem operation.
This ultimately leads to the creation of a SUID-privileged shell, allowing escalation to root.
This PoC is specifically adapted for systems where mkfs.xfs is NOT available on the target. Instead of creating a filesystem dynamically, it relies on a pre-existing XFS image. The image creation process and recommended workflow are documented in the original advisory and must be followed exactly:
๐ https://cdn2.qualys.com/2025/06/17/suse15-pam-udisks-lpe.txt
The image must be prepared separetly before running this script and is considered part of the overall exploit chain.
Assumptions & Scope
Target system is a vulnerable SUSE / openSUSE-based environment CVE-2025-6018 has already been successfully exploited Required D-Bus services are available and reachable This script focuses on reliability and clarity, not stealth or evas
