What is the critical vulnerability in SUSE Manager (CVE-2025-46811)?

A critical security vulnerability (CVE-2025-46811, CVSS score 9.8) has been reported in SUSE Manager that enables unauthorized attackers to execute arbitrary commands with root privileges on affected systems. It's a Missing Authentication for Critical Function weakness in SUSE Manager's websocket communication infrastructure affecting the /rhn/websocket/minion/remote-commands endpoint.

What is SUSE Manager and why is this vulnerability so serious?

SUSE Manager is an enterprise systems management solution that provides centralized management of SUSE Linux Enterprise servers and other systems. This vulnerability is extremely serious because it allows anyone with network access to execute Salt commands across the entire managed infrastructure with root privileges, potentially compromising hundreds or thousands of managed systems simultaneously.

How does the CVE-2025-46811 vulnerability work technically?

The vulnerability affects the /rhn/websocket/minion/remote-commands endpoint, which was designed for real-time communication between SUSE Manager servers and managed client systems. This endpoint completely lacks proper authentication verification mechanisms, allowing any individual with network connectivity to port 443 of a SUSE Manager instance to execute Salt commands without providing credentials.

Which SUSE Manager versions and deployments are affected?

Multiple deployments are affected including container deployments using suse/manager/5.0/x86_64/server:5.0.5.7.30.1, SUSE Linux Enterprise Server 15 SP4 Manager Server images on Amazon EC2, Microsoft Azure, and Google Cloud Engine BYOS implementations, SUSE Manager Server Module 4.3 installations, and the latest SUSE Manager version 5.0.4.1.

Has the vulnerability been proven exploitable?

Yes, security researchers have created a proof-of-concept HTML webpage that connects to the vulnerable websocket endpoint and executes commands without authentication. Testing conducted using an incognito browser session confirmed that arbitrary Salt commands can be executed across managed systems with root privileges, eliminating any possibility of session cookie authentication.

What is the CVSS score and severity of CVE-2025-46811?

CVE-2025-46811 has a CVSS score of 9.8, indicating critical severity. This maximum severity rating reflects the fact that the vulnerability allows complete administrative control over managed infrastructure without any authentication requirements, potentially affecting entire data center environments.

What should organizations do immediately about this SUSE Manager vulnerability?

Organizations must treat this as a critical security emergency. First priority should be identifying all SUSE Manager instances and blocking network exposure to the vulnerable endpoint. They should implement network-level access controls to restrict connectivity to the websocket endpoint, prioritize applying security patches on all systems, and verify patch deployment across their infrastructure.

Are security patches available for CVE-2025-46811?

Yes, SUSE has released security updates to address CVE-2025-46811. Organizations should prioritize patching on all affected systems immediately. Until patches are fully deployed and verified, network-level access controls should be implemented to restrict connectivity to the vulnerable websocket endpoint.

What temporary mitigations can be implemented for this vulnerability?

Until patches can be applied, organizations should implement network-level access controls to block external access to port 443 on SUSE Manager instances, restrict network connectivity to the /rhn/websocket/minion/remote-commands endpoint specifically, implement firewall rules to limit access to authorized IP addresses only, and monitor network traffic for suspicious websocket connections to SUSE Manager systems.

Why is this vulnerability particularly dangerous for enterprise environments?

This vulnerability is extremely dangerous because SUSE Manager is designed to centrally manage large numbers of enterprise systems. A single successful attack can provide root-level access to potentially hundreds or thousands of managed servers simultaneously, making it a high-value target for attackers seeking to compromise entire enterprise infrastructures through a single point of entry.

What are the broader implications of the SUSE Manager authentication bypass?

This vulnerability highlights critical risks in enterprise management platforms where a single security flaw can expose entire managed infrastructures. It demonstrates the importance of proper authentication mechanisms in administrative interfaces, the need for regular security audits of management systems, and the cascading security risks when centralized management platforms are compromised by attackers.

Advisory

Critical flaw in SUSE Manager exposes enterprise deployments to compromise

Q: How was the SUSE Manager vulnerability discovered?

The vulnerability was discovered during an internal security audit conducted by a customer organization. Security researchers found that the websocket endpoint completely bypasses authentication requirements when processing remote command requests, creating a critical security gap in the system's access controls.

published: July 31, 2025

Take action: This one is URGENT: If you have SUSE Manager systems, immediately block network access to port 443 or isolate these systems from untrusted networks. Attackers can execute commands with root privileges without any authentication. Then plan an urgent update of the systems.

Learn More

A critical security vulnerability is reported in SUSE Manager that enables unauthorized attackers to execute arbitrary commands with root privileges on affected systems.

The vulnerability is tracked as CVE-2025-46811 (CVSS score 9.8), and is a Missing Authentication for Critical Function weakness in SUSE Manager's websocket communication infrastructure. The vulnerability affects the /rhn/websocket/minion/remote-commands endpoint, which was designed to facilitate real-time communication between SUSE Manager servers and their managed client system. This endpoint lacks proper authentication verification mechanisms, creating a vector for unauthorized administrative access.

During an internal security audit conducted by a customer organization, security researchers discovered that the websocket endpoint completely bypasses authentication requirements when processing remote command requests. This allows any individual with network connectivity to port 443 of a SUSE Manager instance to execute Salt commands across the entire managed infrastructure without providing credentials.

The vulnerability impacts multiple SUSE Manager deployments:

Container deployments using suse/manager/5.0/x86_64/server:5.0.5.7.30.1
SUSE Linux Enterprise Server 15 SP4 Manager Server images deployed on major cloud platforms, including Amazon EC2, Microsoft Azure, and Google Cloud Engine BYOS (Bring Your Own Subscription) implementations.
SUSE Manager Server Module 4.3 installations
Testing conducted on the latest SUSE Manager version 5.0.4.1 confirmed that the vulnerability affects current releases

Security researchers have created a proof-of-concept HTML webpage that connects to the vulnerable websocket endpoint and executes commands without authentication. The demonstration, conducted using an incognito browser session to eliminate any possibility of session cookie authentication, confirmed that arbitrary Salt commands can be executed across managed systems with root privileges.

Organizations operating affected SUSE Manager versions must treat this vulnerability as a critical security emergency. The first priority should be identifying all SUSE Manager instances within the organization and blocking network exposure to the vulnerable endpoint.

SUSE has released security updates and organizations should prioritize patching on all systems. Until patches are fully deployed and verified, organizations should implement network-level access controls to restrict connectivity to the vulnerable websocket endpoint.

Critical flaw in SUSE Manager exposes enterprise deployments to compromise

Read More
Critical Privilege Escalation Vulnerabilities Patched in OpenClaw AI …
Critical vulnerability in CrushFTP actively exploited
Critical Citrix NetScaler Vulnerability CVE-2026-3055 Exploited in the …
Multiple Dell Storage Manager vulnerabilities patched, at least …
IBM reports multiple flaws in QRadar Suite, including …