How severe is CVE-2025-3931?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.8 out of 10.

What type of vulnerability is CVE-2025-3931?

This is classified as CWE-280, which is a common weakness in software security.

CVE-2025-3931 - HIGH Severity | CVSS 7.8

Vulnerability Description

A flaw was found in Yggdrasil, which acts as a system broker, allowing the processes to communicate to other children's "worker" processes through the DBus component. Yggdrasil creates a DBus method to dispatch messages to workers. However, it misses authentication and authorization checks, allowing every system user to call it. One available Yggdrasil worker acts as a package manager with capabilities to create and enable new repositories and install or remove packages. This flaw allows an attacker with access to the system to leverage the lack of authentication on the dispatch message to force the Yggdrasil worker to install arbitrary RPM packages. This issue results in local privilege escalation, enabling the attacker to access and modify sensitive system data.

Related Vulnerabilities

CVE-2019-17437

HIGH

CVSS:7.8(High)

An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser. This issue affects PA...

CWE-2802019

CVE-2020-3427

HIGH

CVSS:7.8(High)

The Windows Logon installer prior to 4.1.2 did not properly validate file installation paths. This allows an attacker with local user privileges to coerce the installer to write to arbitrary privilege...

CWE-2802020

CVE-2021-37851

HIGH

CVSS:7.8(High)

Local privilege escalation in Windows products of ESET allows user who is logged into the system to exploit repair feature of the installer to run malicious code with higher privileges. This issue aff...

CWE-2802021

CVE-2022-22292

HIGH

CVSS:7.8(High)

Unprotected dynamic receiver in Telecom prior to SMR Feb-2022 Release 1 allows untrusted applications to launch arbitrary activity.

CWE-2802022

CVE-2023-21421

HIGH

CVSS:7.8(High)

Improper Handling of Insufficient Permissions or Privileges vulnerability in KnoxCustomManagerService prior to SMR Jan-2023 Release 1 allows attacker to access device SIM PIN.

CWE-2802023

CVE-2023-2480

HIGH

CVSS:7.8(High)

Missing access permissions checks in M-Files Client before 23.5.12598.0 (excluding 23.2 SR2 and newer) allows elevation of privilege via UI extension applications

CWE-2802023