Network Security
system security Linux network
system security Linux network The romanticized image of the digital nomad – a laptop on a sun-drenched balcony – rarely accounts for the actual friction of maintaining a professional development environment on the move. . The friction is amplified with Linux. We are looking for a setup that respects our kernel configurations, handles volatile network handovers, and maintains a strict security posture without the hand-holding of a consumer-grade OS – so, put simply, more than just a laptop and a sunny deck. The hardware is...
May 26, 2026
Server Securityopen-source Linux administration
open-source Linux administration Cron has existed in Unix and Linux environments for decades, handling backups, cleanup scripts, patching jobs, log rotation, monitoring tasks, and other maintenance work that administrators do not want to run manually. Most Linux servers rely on it constantly, which is exactly why attackers continue abusing it for persistence after a system has already been compromised. . Persistence through cron is not complicated. Attackers do not need a rootkit or advanced malware framework to maintain...
May 25, 2026
Vendors/Productssecurity breach linux
security breach linux A major internal repository breach at GitHub has exposed a critical and overlooked blind spot in Linux supply chain security. Kernel exploits, exposed SSH services, weak firewall rules, and vulnerable daemons dominated the Linux threat model for years, and in many environments, they still matter. But recent supply-chain incidents involving GitHub ecosystems, npm packages, and malicious developer tooling point somewhere else entirely: the developer workstation. . The breach matters because...
May 21, 2026
Security Trends access control multi-tenant
access control multi-tenant Linux administrators often face an ugly choice in the cloud: prioritize convenience and cost-efficiency by sharing infrastructure, or sacrifice those benefits for the sake of total isolation. Most modern Linux workloads don't live on their own private servers anymore. They live in shared environments like Kubernetes clusters, where multiple teams and services run side-by-side. It sounds efficient, and it usually is. . But cloud isolation isn't as ironclad as it looks on the diagram. If you...
May 21, 2026
Vendors/Productsincident response cloud security
incident response cloud security Managed Extended Detection and Response (MXDR) has become one of the most sought-after security services in the enterprise market — and with good reason. It promises the holy grail: broad visibility across endpoints, network, cloud, email, and identity, combined with the 24/7 human expertise most organizations simply cannot build in-house. . However, the rapid growth of the market has produced a wide range of providers whose capabilities vary considerably beneath the surface. Choosing the...
May 19, 2026
Refine news
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security news
We found 34 articles for you...
77
security advisorycriticalprivilege escalationCISA: Critical Sudo Flaw CVE-2025-32463 Requires Immediate Action
CISA has added CVE-2025-32463 to its Known Exploited Vulnerabilities catalog, a flaw in sudo that affects nearly every Linux distribution. The bug allows a limited account to escalate to root, which is why it has drawn immediate attention. . Sudo is the gatekeeper for elevated permissions, built into everything from personal machines to enterprise servers. Because of that, even a small weakness has weight for the wider linux security community. This particular bug enables someone with limited access to bypass security controls and directly access the root, where system controls effectively end. CISA’s listing confirms it’s being used in the wild. For administrators, that means updates should move quickly onto the patch schedule, not linger in the queue. What Is Sudo and Why Does It Matter? Sudo, short for “superuser do,” is the tool Linux systems use to grant temporary administrator rights. Instead of staying logged in as root, users and sysadmins borrow that authority for specific commands — installing software, restarting services, or editing system files. This model reduces accidents and narrows attack windows. It’s also why sudo is a cornerstone of linux security: when it fails, the line between ordinary users and root vanishes. It’s also a cornerstone of linux security. By containing when and how full control is granted, sudo reduces the chance of accidents and narrows the opportunities for attackers. When that safeguard breaks down, the gap between limited access and root disappears, turning an ordinary bug into a privilege escalation vulnerability with far-reaching impact. The Impact on Linux Security and Root Access Sudo is installed by default on nearly every Linux distribution. That reach makes any flaw in it far more than a corner-case bug. When an attacker reaches root, system controls end. They can read or alter files, disable services, erase logs, and establish persistence. From there, moving laterally to other machines is often the next step. CISA’s addition of CVE-2025-32463 to its catalog confirms that exploitation is underway. For individual users, this raises the risk of compromise on personal devices. For enterprises, it expands into compliance, detection, and containment challenges across fleets of servers. This is why the linux security community treats sudo weaknesses with urgency. They affect casual users and system administrators alike, and they don’t remain theoretical for long. Similar Linux vulnerabilities actively exploited in the wild show the same pattern: once a path to root is known, attackers adopt it quickly, and delays in patching translate directly to exposure. The Vulnerability (CVE-2025-32463) CVE-2025-32463 affects sudo versions 1.9.14 through 1.9.17. The issue shows up during sudo’s startup sequence in a chroot. If an attacker can place a crafted /etc/nsswitch.conf in that environment, they can redirect how sudo performs name-service lookups. That redirection can pull in malicious code during initialization, which then runs with elevated privileges. The result is a direct path to the root, even for accounts that are not in sudoers. Technical details and impact are covered in the NVD entry for CVE-2025-32463 . The maintainers closed the gap in with version 1.9.17p1. Systems running anything earlier in the 1.9.14–1.9.17 range remain exposed until that update is applied. What makes this class of bug so important is how it reshapes the trust model around privilege management. Sudo is supposed to contain risk by limiting when and how elevated rights are granted. A weakness here flips that safeguard into an attack vector. We’ve covered this pattern before in our analysis of sudo flaws , and CVE-2025-32463 fits directly into that risk profile: a privilege escalation route that undermines the very control mechanism administrators rely on. CISA’s Advisory in Simple Terms Here is what that advisory means in practical terms. Who must comply: Federal Civilian Executive Branchagencies. For them, KEV entries are mandatory tasks, not guidance. What “added to KEV” signals: Active exploitation has been observed. The entry elevates this issue to the top of patch queues. Dates that matter: Added September 3, 2025. Remediation due October 20, 2025. The due date is the latest point by which affected systems must be fixed or formally addressed. What counts as remediation: Apply the vendor’s update or approved mitigation. If a system cannot be updated in time, agencies are expected to isolate, remove, or otherwise control the risk and document the exception. Scope: All affected assets, not just internet-facing ones. Workstations, servers, images, and container bases are in scope if they carry the vulnerable component. Inventory and verification: Identify where the component is present, schedule the change, implement the fix, and record completion in the vulnerability management process. Keep evidence for audit. For non-federal teams: Treat the KEV due date as a practical benchmark. Align the patch with your next change window or expedite if exposure is high. The signal is about prioritization, not panic. For non-federal organizations, the advisory serves as a benchmark of urgency. When a vulnerability appears in KEV with a firm deadline, it’s a signal that attackers are already using it, and patching should be treated as an immediate priority. How to Protect Your Systems The immediate step is to update sudo. Version 1.9.17p1 closes the vulnerability, and distributions have already shipped their own updates: Ubuntu security notice for sudo Red Hat advisory for sudo Debian security tracker for sudo Administrators should confirm which package versions are present and apply the update through normal patch workflows. Updating is only part of the picture. Systems using --chroot deserve extra attention. If unprivileged users can write inside those directories, they may be able to replicate the exploit. Auditing chrootusage and tightening controls around who can create or modify them reduces that risk. Logs are another valuable layer. Unusual sudo activity, commands being run with unexpected flags, from unexpected paths, or at odd hours, can point to misuse or testing of the exploit chain. Monitoring for these signals is a way to catch attempts that slip past other defenses. Long-term resilience depends on structure. Patch management is not just about applying fixes; it’s about having a process that keeps servers current without breaking workflows. Teams that build discipline around it reduce the window that attackers can exploit. Practical approaches to Linux patch management show how scheduled updates and controlled rollouts keep environments stable, even when new vulnerabilities surface. For anyone new to the concept, understanding what Linux patching involves is the first step toward building that routine. Broader Lessons for Linux Security Sudo isn’t the first core Linux tool to face a serious flaw, and it won’t be the last. Over time, utilities and subsystems that feel stable and routine reveal weaknesses once attackers start probing them. That reality points to a broader lesson. Security is less about assuming trust in long-standing tools and more about maintaining habits that catch problems early and limit the damage when they appear. Regular patching reduces exposure windows, monitoring highlights when attackers test new angles, and layered defenses prevent one failure from tipping into a breach. The same approach applies across the ecosystem. Past analyses of safeguarding Linux networks against exploits show how quickly threats evolve once proof-of-concept code is public. Building resilience into operations, through disciplined updates and layered protections, is what sustains linux security in the long term. Next Steps: Responding to CVE-2025-32463 Attackers are exploiting CVE-2025-32463 now, which makes delaying the biggest risk. Patching to the fixed sudo releasecloses the door, but it should be paired with monitoring for abnormal sudo use and hardening measures that limit what root can do if an attacker gets that far. The larger call is to treat this not as a one-off, but as a reminder that vulnerabilities in trusted utilities will continue to surface. Staying protected means building habits — patch on schedule, review the logs, and maintain defenses in depth. That awareness is what sustains continuous linux security in practice. For teams looking to keep pace, tracking advisories and following updates on the newest security vulnerabilities ensures that each flaw is addressed before it becomes an incident. . CISA addresses critical sudo flaw CVE-2025-32463 affecting Linux. Immediate updates required for protection.. CISA advisory, sudo flaw, CVE-2025-32463, Linux security, privilege escalation. . MaK Ulac
Oct 02, 2025
•
Server Security
83
security advisoryroot accessLinux serversAdvisory: Perfctl Crypto Mining Threat on Linux Servers
Security researchers have discovered a sophisticated strain of malware targeting Linux servers dubbed Perfctl. Its dual purpose is mining cryptocurrency and proxyjacking. . This malware exploits vulnerabilities while operating stealthily to avoid detection mechanisms, posing a significant risk to organizations relying on Linux-based infrastructures. In this article, I'll help you understand this threat, determine if you are at risk, and share advice for detecting and preventing infections. Let's begin by examining this malware and how it works. Understanding Perfctl Malware Perfctl malware has proven itself elusive and persistent over the years. Aqua Security researchers Assaf Morag and Idan Revivo state that its primary objective is running cryptocurrency mining and proxyjacking software on compromised Linux servers. Aqua Security researchers reported that Perfctl employs various sophisticated techniques to stay undetected while remaining persistent on infected machines. When Perfctl infiltrates a server, all resource-intensive activities immediately cease when a new user logs on. It is dormant until server traffic subsides again, thus avoiding detection by humans checking performance metrics periodically. When executed, Perfctl deletes its binary to cover its tracks before continuing as an invisible background service. The Attack Chain Perfctl Attack Chain (Source: Aqua Nautilus) Perfctl employs an effective and innovative attack chain. After exploiting a vulnerable Apache RocketMQ instance to deliver an initial payload known as "httpd," execution of this payload copies itself into the "/tmp" directory, launches another binary process, and deletes itself to mask its presence and avoid detection. Hence, its presence remains obscured until detection occurs later on. Perfctl takes advantage of a security flaw in Polkit ( CVE-2021-4043 or PwnKit) to gain root privileges and use them to deploy its primary payload: a cryptocurrency miner named perfcc and rootkit protectionagainst defense evasion. Some instances also download and execute proxyjacking software from remote servers, highlighting its dual nature. Evasion Mechanisms Perfctl uses several sophisticated evasion techniques to avoid detection and removal, including binary deletion. Upon execution, Perfctl deletes its initial binary file immediately - making it hard for security researchers to pinpoint its origin. Perfctl uses a rootkit to hide its processes and activities from system monitors and administrators, as well as fileless attack methods aimed at operating solely within memory, which help avoid traditional file-based antivirus and detection tools. Named "perfctl," the malware's name seeks to appear as a legitimate system process. Perf stands for Linux performance monitoring tool, while "ctl" is often seen in command-line tools like systemctl or timedatectl - giving an appearance of benignness to this dangerous code. Impact of an Attack A Perfctl attack can have grave repercussions that wreak havoc on affected systems and organizations, with cryptocurrency mining taking up significant system resources, leading to decreased performance and rising operational costs. Given its root access, malware could use this opportunity to exfiltrate sensitive data from compromised computers - creating severe security risks. Proxyjacking attacks also can take advantage of compromised systems to route malicious traffic and implicate victims in illegal activities. Perfctl's persistence mechanisms can cause extended operational downtime as organizations work to identify and mitigate its infection. Furthermore, for organizations governed by regulatory bodies such as HIPPA/FERPA regulations, successful Perfctl attacks could mean noncompliance with data security regulations - which could lead to severe legal and financial repercussions for noncompliance. What Countries & Sectors Are Affected by Perfctl? The Perfctl malware campaign has had a devastating effect on numerous countries and sectors worldwide, mostnotably in the US, Germany, and South Korea—three countries that heavily rely on Linux servers, particularly within cloud and enterprise environments. As these locations boast high computational demands due to widespread Linux server usage, they have become prime targets of Perfctl crypto mining and proxyjacking activities. Perfctl has targeted cryptocurrency and NFT platforms and the software development and publishing industries, specifically exploiting server resources for crypto mining purposes without being detected by users. These industries are particularly vulnerable because they often operate within Linux environments with open-source platforms and utilize developer forums and repositories as propagation methods. Hence, there is a need for enhanced cybersecurity measures in these industries to minimize its spread. Let's examine some measures developers and organizations can take to mitigate risk. Detection and Prevention Organizations need to implement comprehensive strategies to detect and prevent Perfctl attacks, which include adopting comprehensive detection tactics. This includes monitoring CPU usage for unexpected spikes or system slowdowns during idle periods, as these can indicate cryptocurrency mining activity, and employing rootkit detection and removal tools as well as network and host-based intrusion detection systems to monitor for abnormal activities and any attempts at unauthorized access. Prevention measures are also crucial. Ensuring regular updates and patches for systems and software helps address vulnerabilities like CVE-2021-4043 (PwnKit), which are gateways for malware entering systems. Implementing tight permissions to manage which files and binaries can be executed on the server is essential, as is disabling any services that could expose it to potential vulnerabilities. Network segmentation should be implemented to restrict an attacker's lateral movement within a network. Role-based access control (RBAC) should also be employed so only users who requireaccess can gain entry. These measures will significantly strengthen an organization's resilience against Perfctl threats. Our Final Thoughts on Combating the Perfctl Malware Threat Perfctl malware is a testament to the evolving complexity and sophistication of cyber threats targeting Linux servers. Perfctl poses a severe risk to organizations across various sectors by exploiting vulnerabilities while employing advanced evasion techniques. Monitoring system performance closely, updating security patches regularly, restricting file executions, and creating robust access controls are necessary measures against Perfctl attacks. As the digital landscape expands, so must our protection efforts against threats like Perfctl. . Trojanux malware breaches Windows flaws surreptitiously, compromising devices with ransomware threats and data exfiltration hazards.. Perfctl Malware,Crypto Mining,Linux Server Security,Cyber Threats,Security Evasion Techniques. . Brittany Day
Nov 26, 2024
•
Hacks/Cracks
210
security advisoryred hatdebianDebian, Ubuntu, Red Hat: CVE-2024-1086 Critical Threat of Kernel Exploit
In the world of open-source software , security vulnerabilities can have widespread consequences. The recent publication of a Linux privilege-escalation proof-of-concept exploit has sent shockwaves through the Linux community, demanding the immediate attention of Linux admins, infosec professionals, internet security enthusiasts, and sysadmins. . This flaw in the Linux kernel, CVE-2024-1086 , affects versions between 5.14 and 6.6.14 and can be exploited to gain root access on vulnerable machines. This could allow malicious actors to perform virtually any action they wish and could enable malware already on a computer to cause further damage. While the vulnerability has been patched, the implications and long-term consequences of such vulnerabilities warrant a closer examination. Using vulnerability management software can prevent such attacks. What Are the Implications of This Flaw? How Can I Secure My Systems Against It? Several critical aspects of this Linux kernel flaw should be highlighted. First, the vulnerability's extensive reach should be noted. It affects well-known Linux distributions such as Debian, Ubuntu, Red Hat, and Fedora. This broad scope raises concerns regarding the number of systems that might still be vulnerable despite the availability of patches. The bug hunter Notselwyn, who developed the proof-of-concept exploit, states, "Never had I ever gotten so much joy developing a project, specifically when dropping the first root shell with the bug." The Linux kernel flaw, with a CVSS severity rating of 7.8 out of 10, poses significant security risks to Linux systems. From a critical perspective, the immediate question arises: how was such a vulnerability present in the Linux kernel and remained undetected for so long? This highlights the need for robust security protocols and thorough code reviews within the open-source community to prevent such critical flaws from being exploited. Furthermore, this issue draws attention to the specific technical details ofthe exploit, encompassing the double-free bug in the Linux kernel's netfilter component involving nf_tables. A method called "Dirty Pagedirectory" is also used in this exploit, which builds on an earlier Linux kernel universal exploit technique. This technique grants unlimited, stable read/write access to all memory pages in a Linux system, ultimately providing an attacker complete control over the compromised system. This revelation raises questions about the potential misuse of this technique beyond the current exploit, highlighting the long-term consequences that this vulnerability may have on Linux security. Security practitioners, Linux admins, infosec professionals, and sysadmins must protect their systems against such vulnerabilities by applying the necessary patches and closely examining their security protocols to detect and prevent future vulnerabilities. Moreover, staying updated on security news and developments within the Linux community is crucial. Our Final Thoughts on This Recent Kernel Bug This article aims to shed light on a critical Linux kernel flaw that exposes systems to a privilege-escalation exploit and raise awareness among Linux admins, infosec professionals, and sysadmins about such vulnerabilities' potential risks and implications. By fostering a proactive approach to security, prioritizing patching, and continuously enhancing their security measures, admins can safeguard against future threats. . A significant flaw in the Linux kernel presents a danger of system compromise. Explore its consequences and mitigation techniques for enhanced security.. Linux Kernel Flaw, Privilege Escalation Threat, Security Risks, Vulnerability Management. . Brittany Day
Apr 19, 2024
•
Security Vulnerabilities
82
security advisoryroot accessLinux distributionCISA Advisory: Looney Tunables Bug Threatens Federal Linux Systems
On May 10th, 2019, the US Congress passed an order requiring federal agencies to patch a Linux bug that can be used to gain root access. The bug, known as "Looney Tunables," was discovered by security researchers in January and allows attackers to change the value of any kernel parameter on Linux systems running the 3.10 kernel or earlier. . While most Linux distributions have already patched this bug, some Linux installations may still be vulnerable if they do not receive regular updates from their vendors. Since the Looney Tunables bug affects older versions of the Linux operating system, it could be present on many servers and other devices running older versions of OpenStack and other open-source software packages. This could mean that large numbers of systems might remain vulnerable to attack even after being patched by their vendors. . Even with updates released for Daffy Dynamics, a lot of Unix platforms may remain at risk if not consistently patched.. Linux Bug Patch, Looney Tunables, Security Advisory. . Brittany Day
Nov 25, 2023
•
Government
210
security advisoryhigh severityprivilege escalationLinux Sudo: CVE-2023-22809 High Severity Root Access Risk
Sudo is one of the most essential, powerful, and often used tools that comes as a core command pre-installed on macOS and practically every other UNIX or Linux-based operating system. It is also one of the programs that comes pre-installed as a core command. . A system administrator has the ability to delegate authority to certain users or groups of users through the use of the sudo (su “do”) command, which provides an audit trail of the commands that were executed and the arguments that were passed to those commands. This allows the administrator to give certain users or groups of users the ability to run some or all commands as root or another user. A new sudo vulnerability was found. It was on sudoedit ( sudo -e ) flaw. With it, attackers can edit arbitrary files, and therefore machines were at the risk of the pwned and having information steeled. Researchers Matthieu Barjole and Victor Cutillas of Synacktiv uncovered the weakness, which was given the identifier CVE-2023-22809, in the sudoedit function for Linux. This vulnerability might enable a malicious user with sudoedit access to edit arbitrary files on a system running Linux. . An alarming exploitation flaw in sudo permits unprivileged accounts to escalate their privileges to root, jeopardizing system security.. Sudo Vulnerability, Root Access Risk, Linux Security Threat. . Brittany Day
Jan 23, 2023
•
Security Vulnerabilities
210
security advisoryprivilege escalationUbuntuUbuntu Advisory: CVE-2022-3328 Critical: Snap-Confine Root Exploit
Qualys researchers demonstrated how to chain a new Linux flaw with two other two issues to gain full root privileges on an impacted system. . Researchers at the Qualys’ Threat Research Unit demonstrated how to chain a new Linux vulnerability, tracked as CVE-2022-3328 , with two other flaws to gain full root privileges on an affected system. The vulnerability resides in the snap-confine function on Linux operating systems, a SUID-root program installed by default on Ubuntu. The snap-confine is used internally by snapd to construct the execution environment for snap applications, an internal tool for confining snappy applications. . Security experts from Qualys disclose a technique to link vulnerabilities in Linux for obtaining root privileges, presenting a vital advisory to enhance protection.. Ubuntu Snap-Confine Vulnerability, Linux Root Access, Privilege Escalation. . Brittany Day
Dec 14, 2022
•
Security Vulnerabilities
210
security advisoryhigh severitysecurity issueCISA Alert: High Severity PwnKit Root Access Exploit in Major Linux Distros
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added PwnKit as a high-severity Linux vulnerability to its list of actively exploited bugs . . Recorded as CVE-2021-4034 , with a CVSS score of 7.8/10, PwnKit was discovered by Qualys in November 2021 and can be used by hackers to gain full root control over major Linux distributions. The flaw is located in Polkit’s pkexec component used by most distributions (Ubuntu, Debian, CentOS, and others): “[the command] allows an authorized user to execute PROGRAM as another user. If username is not specified, then the program will be executed as the administrative super user, root.” . Uncovered by Qualys, PwnKit presents a critical vulnerability that grants unauthorized root privileges on various Linux systems.. PwnKit, Linux Exploit, Root Access Risk. . Brittany Day
Jul 05, 2022
•
Security Vulnerabilities
210
security advisoryhigh severityroot accessCISA: High-Severity Bug in Major Linux Distros PwnKit Root Access
A high-severity Linux vulnerability capable of granting abusers root access to target endpoints is being exploited in the wild, researchers have warned. . The flaw is found in Polkit’s pcexec component, which can be found in pretty much all major Linux distributions. Tracked as CVE-2021-4034, the flaw is dubbed PwnKit, and is described as a memory corruption bug. It allows threat actors full root privileges on Linux systems with default setups. What’s more, threat actors can exploit the bug without leaving a trace on the compromised endpoint. . A newly discovered weakness in Linux could permit malicious entities to gain root privileges. Take action immediately to fortify your defenses.. Polkit Exploit, Linux Security Flaw, Root Access Threat. . Brittany Day
Jun 30, 2022
•
Security Vulnerabilities
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!
Explore top 10 tips to secure your open-source projects now. Read More