CVE-2025-23394: daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root

9.8 CVSS

Description

A UNIX Symbolic Link (Symlink) Following vulnerability in openSUSE Tumbleweed cyrus-imapd allows escalation from cyrus to root.This issue affects openSUSE Tumbleweed cyrus-imapd before 3.8.4-2.1.

Classification

CVE ID: CVE-2025-23394

CVSS Base Severity: CRITICAL

CVSS Base Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem Types

CWE-61: UNIX Symbolic Link (Symlink) Following

Affected Products

Vendor: SUSE

Product: openSUSE Tumbleweed

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.07% (probability of being exploited)

EPSS Percentile: 22.44% (scored less or equal to compared to others)

EPSS Date: 2025-06-06 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-23394
https://bugzilla.suse.com/show_bug.cgi?id=CVE-2025-23394

Timeline

2025-05-26 16:40:22 UTC
CVE

daily-backup.sh script in cyrus-imapd allows escalation from cyrus to root