A critical security vulnerability has been discovered in the SUSE Manager tools, used for centralized control of IT infrastructure running on various Linux distributions. The vulnerability, identified as CVE-2025-46811, allows attackers to execute commands on systems managed through SUSE Manager without authentication. These commands are executed with Root privileges, giving the attacker full control over the entire infrastructure. The severity of this issue is rated at 9.3 out of 10.
The vulnerability is attributed to the WebSocket protocol commands accessible through “/Rhn/WebSocket/Minion/Remote-Commands” without any access restrictions. This means that any user with the ability to send packages to a network port 443 on a SUSE Manager server can execute arbitrary commands with ROOT privileges on all managed systems. The exploit can be carried out without authentication by simply omitting a session identifier (sessionid) when sending a request.
This vulnerability affects both standalone SUSE Manager installations and SUSE Linux installation images and containers, such as SUSE Manager Sles15-SP4-Manager-SERVER. The issue persists in SUSE Manager version 5.0.4.1 but has been successfully eliminated in updates 4.3.16 and 5.0.5.