SUSE Manager WebSocket Command Execution Vulnerability

A vulnerability allowing missing authentication for critical functions has been identified in SUSE Manager. This issue affects version 5.0.5.7.30.1 prior to 5.0.14-150600.4.17.1, as well as several different versions and ranges in SUSE Manager Server Module 4.3 and SUSE Manager Retail Branch Server 5.0 Extension. The vulnerability allows anyone with access to the WebSocket endpoint '/rhn/websocket/minion/remote-commands' to execute arbitrary commands as root on any client, without authentication. This was demonstrated using a proof-of-concept that successfully executed commands on clients via the unprotected WebSocket endpoint.

Impact

Exploitation of this vulnerability allows for unauthorized command execution as root on affected client systems.

Reproduction

The vulnerability can be reproduced by connecting to the SUSE Manager server's WebSocket endpoint '/rhn/websocket/minion/remote-commands' over port 443, without any authentication credentials. Once connected, arbitrary commands can be executed as root on any client managed by the SUSE Manager server.

Remediation

Users can upgrade to SUSE Manager Server 5.0 through the SUSE Manager Server 5.0 Extension, or to SUSE Manager Server 4.3 Module. Instructions for these updates can be found in the SUSE Update Announcements for July 2025.