Potential Exploitation of CVE-2025-5054 or CVE-2025-4598

calendar Apr 28, 2026 · attack.privilege-escalation attack.credential-access attack.t1548 attack.t1003 cve.2025-5054 cve.2025-4598 detection.emerging-threats  ·
Share on: linkedin copy

Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2. Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges. These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets. CVE-2025-5054: Information leak via core dumps from SUID binaries using apport. CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.

Sigma rule (View on GitHub)

 1title: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
 2id: 33b3cfb1-574e-44b9-b527-fbf9303b9d7b
 3status: experimental
 4description: |
 5    Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
 6    Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
 7    These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
 8    CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
 9    CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.    
10references:
11    - https://nvd.nist.gov/vuln/detail/CVE-2025-5054
12    - https://nvd.nist.gov/vuln/detail/CVE-2025-4598
13    - https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
14author: Milad Cheraghi
15date: 2026-04-28
16tags:
17    - attack.privilege-escalation
18    - attack.credential-access
19    - attack.t1548
20    - attack.t1003
21    - cve.2025-5054
22    - cve.2025-4598
23    - detection.emerging-threats
24logsource:
25    product: linux
26    category: process_creation
27detection:
28    selection_suid_dumpable_sysctl:
29        Image|endswith:
30            - '/sbin/sysctl'
31            - '/bin/sysctl'
32        CommandLine|contains: 'fs.suid_dumpable='
33    selection_echo_proc_write:
34        Image|endswith:
35            - '/bin/bash'
36            - '/bin/sh'
37        CommandLine|contains:
38            - 'echo 1 > /proc/sys/fs/suid_dumpable'
39            - 'echo 2 > /proc/sys/fs/suid_dumpable'
40            - 'echo 1 >/proc/sys/fs/suid_dumpable'
41            - 'echo 2 >/proc/sys/fs/suid_dumpable'
42            - 'echo 1> /proc/sys/fs/suid_dumpable'
43            - 'echo 2> /proc/sys/fs/suid_dumpable'
44            - 'echo 1>/proc/sys/fs/suid_dumpable'
45            - 'echo 2>/proc/sys/fs/suid_dumpable'
46    condition: 1 of selection_*
47falsepositives:
48    - System administrators enabling debugging temporarily
49    - Legitimate crash diagnostic operations
50level: medium

References

Related rules

to-top