UNIX Symlink Following Vulnerability in openSUSE Tumbleweed's cyrus-imapd
CVE-2025-23394

9.8CRITICAL

Key Information:

Vendor: Suse
Status: Opensuse Tumbleweed
Vendor: CVE Published:; 26 May 2025

What is CVE-2025-23394?

A vulnerability exists in openSUSE Tumbleweed’s cyrus-imapd that allows for the manipulation of symbolic links, which can lead to unauthorized privilege escalation from the cyrus user to root. This issue is present in versions prior to 3.8.4-2.1.

Affected Version(s)

openSUSE Tumbleweed ? < 3.8.4-2.1

References

https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23394

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
May 26, 2025
Vulnerability Reserved
Jan 15, 2025

Credit

Matthias Gerstner, SUSE

JSON

Suse

What is CVE-2025-23394?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit