You are currently viewing Linux CUPS: Remote DoS and Authentication Bypass Exploit

Linux CUPS: Remote DoS and Authentication Bypass Exploit

  • Post author:
  • Reading time:3 mins read

The discovery of CVE-2025-58364 and CVE-2025-58060 reveals two critical weaknesses in the Linux Common Unix Printing System (CUPS). Exploiting these vulnerabilities could enable remote denial-of-service and authentication bypass attacks, endangering millions of systems that rely on CUPS as a fundamental printing component across Linux environments.

Vulnerability Details

Remote DoS Vulnerability (CVE-2025-58364)

A denial-of-service flaw tracked as CVE-2025-58364 has been discovered in the Linux printing stack. The bug is caused by unsafe handling of printer attributes in the libcups library, enabling attackers on local networks to crash systems through malicious printer responses.

The crash occurs when CUPS processes IPP_OP_GET_PRINTER_ATTRIBUTES requests, with vulnerable code paths in ippNewRequest(), cupsDoRequest(), and ippValidateAttributes(). Improper validation in these routines allows malformed data to trigger null dereferences inside a loop, eventually taking down the service.

Since the flaw requires only subnet-level access, attackers can exploit environments where CUPS automatically discovers printers. The cups-browsed service, in particular, broadens the attack surface by actively accepting network printer announcements.

The issue affects all CUPS releases before 2.4.12. At the time of disclosure, no official fix had been released.

Authentication Bypass Vulnerability (CVE-2025-58060)

The second flaw, CVE-2025-58060, is a high-risk authentication bypass vulnerability that compromises CUPS security in enterprise environments. The issue appears when administrators configure stronger authentication schemes like Kerberos or LDAP. Despite the expectation of strict validation, the server still accepts Authorization: Basic headers, bypassing password checks altogether.

In practice, attackers can send a crafted header such as:

Authorization: Basic YWRtaW46eA==

(where “admin:x” is base64-encoded) and gain full administrative privileges, regardless of the actual password.

By exploiting this logic error in the cupsdAuthorize() function, attackers can reconfigure printers, view or modify print jobs, and execute privileged operations — all without valid credentials.

Affected Products

  • All CUPS versions below 2.4.12

Tactics, Techniques, and Procedures (TTPs)

  • TA0001 – Initial Access: Attackers exploit public-facing applications to gain initial access to the system.
  • T1190 – Exploit Public-Facing Application: Exploit vulnerabilities in applications accessible from the internet or other external networks.
  • TA0040 – Impact: Attackers disrupt services, causing denial of service.
  • T1499 – Endpoint Denial of Service: Exploit vulnerabilities to cause system crashes and prevent legitimate users from accessing services.

Mitigations

  • Restrict IPP port 631 access through firewalls.
  • Disable the cups-browsed service on systems that do not require automatic printer discovery.
  • For the authentication bypass vulnerability, temporarily revert to AuthType Basic with strong passwords.

Instantly Fix Risks with Saner Patch Management

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.

Experience the fastest and most accurate patching software here.