What is the critical vulnerability in SUSE Manager (CVE-2025-46811)?

A critical security vulnerability (CVE-2025-46811, CVSS score 9.8) has been reported in SUSE Manager that enables unauthorized attackers to execute arbitrary commands with root privileges on affected systems. It's a Missing Authentication for Critical Function weakness in SUSE Manager's websocket communication infrastructure affecting the /rhn/websocket/minion/remote-commands endpoint.

What is SUSE Manager and why is this vulnerability so serious?

SUSE Manager is an enterprise systems management solution that provides centralized management of SUSE Linux Enterprise servers and other systems. This vulnerability is extremely serious because it allows anyone with network access to execute Salt commands across the entire managed infrastructure with root privileges, potentially compromising hundreds or thousands of managed systems simultaneously.

How does the CVE-2025-46811 vulnerability work technically?

The vulnerability affects the /rhn/websocket/minion/remote-commands endpoint, which was designed for real-time communication between SUSE Manager servers and managed client systems. This endpoint completely lacks proper authentication verification mechanisms, allowing any individual with network connectivity to port 443 of a SUSE Manager instance to execute Salt commands without providing credentials.

Which SUSE Manager versions and deployments are affected?

Multiple deployments are affected including container deployments using suse/manager/5.0/x86_64/server:5.0.5.7.30.1, SUSE Linux Enterprise Server 15 SP4 Manager Server images on Amazon EC2, Microsoft Azure, and Google Cloud Engine BYOS implementations, SUSE Manager Server Module 4.3 installations, and the latest SUSE Manager version 5.0.4.1.

How was the SUSE Manager vulnerability discovered?

The vulnerability was discovered during an internal security audit conducted by a customer organization. Security researchers found that the websocket endpoint completely bypasses authentication requirements when processing remote command requests, creating a critical security gap in the system's access controls.

Has the vulnerability been proven exploitable?

Yes, security researchers have created a proof-of-concept HTML webpage that connects to the vulnerable websocket endpoint and executes commands without authentication. Testing conducted using an incognito browser session confirmed that arbitrary Salt commands can be executed across managed systems with root privileges, eliminating any possibility of session cookie authentication.

What is the CVSS score and severity of CVE-2025-46811?

CVE-2025-46811 has a CVSS score of 9.8, indicating critical severity. This maximum severity rating reflects the fact that the vulnerability allows complete administrative control over managed infrastructure without any authentication requirements, potentially affecting entire data center environments.

What should organizations do immediately about this SUSE Manager vulnerability?

Organizations must treat this as a critical security emergency. First priority should be identifying all SUSE Manager instances and blocking network exposure to the vulnerable endpoint. They should implement network-level access controls to restrict connectivity to the websocket endpoint, prioritize applying security patches on all systems, and verify patch deployment across their infrastructure.

Are security patches available for CVE-2025-46811?

Yes, SUSE has released security updates to address CVE-2025-46811. Organizations should prioritize patching on all affected systems immediately. Until patches are fully deployed and verified, network-level access controls should be implemented to restrict connectivity to the vulnerable websocket endpoint.

What temporary mitigations can be implemented for this vulnerability?

Until patches can be applied, organizations should implement network-level access controls to block external access to port 443 on SUSE Manager instances, restrict network connectivity to the /rhn/websocket/minion/remote-commands endpoint specifically, implement firewall rules to limit access to authorized IP addresses only, and monitor network traffic for suspicious websocket connections to SUSE Manager systems.

Why is this vulnerability particularly dangerous for enterprise environments?

This vulnerability is extremely dangerous because SUSE Manager is designed to centrally manage large numbers of enterprise systems. A single successful attack can provide root-level access to potentially hundreds or thousands of managed servers simultaneously, making it a high-value target for attackers seeking to compromise entire enterprise infrastructures through a single point of entry.

What are the broader implications of the SUSE Manager authentication bypass?

This vulnerability highlights critical risks in enterprise management platforms where a single security flaw can expose entire managed infrastructures. It demonstrates the importance of proper authentication mechanisms in administrative interfaces, the need for regular security audits of management systems, and the cascading security risks when centralized management platforms are compromised by attackers.

Incident

Cycle & Carriage Singapore reports data breach exposing data of 147 K clients

published: Aug. 1, 2025

Learn More

Cycle & Carriage Singapore (C&C), a Singapore's based automotive company, is reporting a data breach that compromised approximately 147,000 customer data records through unauthorized access to its customer relationship management system.

The incident was discovered on July 14, 2025. C&C has initiated an investigation with external forensic investigators to determine the possible causes of the cyberattack. The exposed data includes:

Customer names
Email addresses
Phone numbers
Mailing addresses
Identity card numbers (approximately 2% of records)
Deposit amounts (approximately 2% of records)

C&C claims that most of the downloaded records are missing some of the information and that banking information and credit card details were not compromised. The nature of the attack is not disclosed.

C&C began notifying customers on July 30, 2025.

The Singapore Personal Data Protection Commission (PDPC) has been notified and has launched an investigation.targeting the affected individuals. The Personal Data Protection Commission's investigation will likely examine C&C's data protection practices, security controls, and compliance with Singapore's data protection requirements.

Cycle & Carriage Singapore reports data breach exposing data of 147 K clients

Read More
Alphv ransomware group claims they have compromised audio …
Findlay Auto Group reports cyber attack
Everest Ransomware group claims 900GB data theft from …
Jaguar Land Rover reports cyberattack that severely disrupted …
Black Nevas ransomware group claims data theft from …