CVE-2025-46811

Name of the Vulnerable Software and Affected Versions SUSE Manager versions prior to 0.3.7-150600.3.6.2 SUSE Manager versions prior to 5.0.14-150600.4.17.1 Image SLES15-SP4-Manager-Server-4-3-BYOS versions prior to 4.3.33-150400.3.55.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure versions prior to 4.3.33-150400.3.55.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 versions prior to 4.3.33-150400.3.55.2 Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE versions prior to 4.3.33-150400.3.55.2 SUSE Manager Server Module 4.3 versions prior to 0.3.7-150400.3.39.4 SUSE Manager Server Module 4.3 versions prior to 4.3.33-150400.3.55.2

Description A missing authentication check for critical functions in SUSE Manager allows unauthenticated attackers with access to the websocket at /rhn/websocket/minion/remote-commands to execute arbitrary commands as root.

Recommendations Update SUSE Manager to version 0.3.7-150600.3.6.2 or later. Update SUSE Manager to version 5.0.14-150600.4.17.1 or later. Update Image SLES15-SP4-Manager-Server-4-3-BYOS to version 4.3.33-150400.3.55.2 or later. Update Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure to version 4.3.33-150400.3.55.2 or later. Update Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2 to version 4.3.33-150400.3.55.2 or later. Update Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE to version 4.3.33-150400.3.55.2 or later. Update SUSE Manager Server Module 4.3 to version 0.3.7-150400.3.39.4 or later. Update SUSE Manager Server Module 4.3 to version 4.3.33-150400.3.55.2 or later.