CVE-2025-46811 in Container Manager
Summary
by MITRE • 07/30/2025
A Missing Authentication for Critical Function vulnerability in SUSE Manager allows anyone with access to the websocket at /rhn/websocket/minion/remote-commands to execute arbitrary commands as root.
This issue affects Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 0.3.7-150600.3.6.2; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.14-150600.4.17.1; Container suse/manager/5.0/x86_64/server:5.0.5.7.30.1: from ? before 5.0.14-150600.4.17.1; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE: from ? before 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: from ? before 0.3.7-150400.3.39.4; SUSE Manager Server Module 4.3: from ? before 4.3.33-150400.3.55.2; SUSE Manager Server Module 4.3: from ? before 4.3.33-150400.3.55.2.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/25/2026
The vulnerability described in CVE-2025-46811 represents a critical authentication failure within SUSE Manager that exposes a websocket endpoint to unauthorized command execution. This issue stems from a missing authentication check for a function that should require privileged access, specifically targeting the /rhn/websocket/minion/remote-commands endpoint. The flaw allows any attacker with network access to the affected system to establish a websocket connection and execute arbitrary commands with root privileges, fundamentally undermining the security model of the platform. This type of vulnerability aligns with CWE-306, which specifically addresses missing authentication for critical functions, and represents a severe deviation from secure coding practices that should enforce proper access controls for administrative operations.
The technical exploitation of this vulnerability occurs through the websocket interface that SUSE Manager uses for remote command execution on managed minions. When an attacker connects to the specified websocket endpoint, no authentication mechanism is enforced to verify the identity or authorization level of the connecting user. This creates a direct pathway for privilege escalation, as the system processes incoming commands without validating whether the requester possesses the necessary administrative credentials. The attack surface is particularly concerning because it affects multiple container images and server modules, indicating a widespread implementation issue that spans across different deployment configurations of SUSE Manager. The vulnerability's impact is amplified by the fact that it operates at the system level, allowing execution of commands that could compromise entire infrastructure components.
Operational consequences of this vulnerability extend far beyond simple unauthorized access, as the ability to execute commands as root provides attackers with complete control over affected systems. An attacker could leverage this vulnerability to install malicious software, modify system configurations, exfiltrate sensitive data, or establish persistent backdoors within the managed environment. The exposure of such a critical function through an unauthenticated websocket interface creates a significant risk for organizations relying on SUSE Manager for system management and orchestration. This vulnerability particularly affects enterprise environments where SUSE Manager is used to manage large fleets of servers, as a single compromised connection could potentially impact multiple managed systems. The risk is further compounded by the fact that this vulnerability affects multiple versions and deployment targets, suggesting that organizations may be exposed across their entire infrastructure landscape.
Organizations should immediately implement mitigations that address the root cause of this authentication failure. The primary recommendation involves applying the vendor-provided patches that introduce proper authentication mechanisms for the websocket endpoint. Additionally, network-level controls should be implemented to restrict access to the websocket endpoint, such as firewall rules that limit connections to trusted IP addresses or require secure transport protocols. Organizations should also consider implementing network segmentation to isolate SUSE Manager components from less secure network zones. From a monitoring perspective, security teams should establish alerts for websocket connections to the affected endpoint, as unusual connection patterns could indicate exploitation attempts. The vulnerability's classification under CWE-306 and its potential mapping to ATT&CK technique T1059.007 for command and scripting interpreter suggests that defensive measures should include both access control enforcement and behavioral monitoring to detect anomalous command execution patterns.