Detection rules › Sigma
Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2. Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges. These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets. CVE-2025-5054: Information leak via core dumps from SUID binaries using apport. CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Privilege Escalation | T1548 Abuse Elevation Control Mechanism |
| Credential Access | T1003 OS Credential Dumping |
Event coverage
| Provider | Event |
|---|---|
| Sysmon-for-Linux | Event ID 1 |
Rule body yaml
title: Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
id: 33b3cfb1-574e-44b9-b527-fbf9303b9d7b
status: experimental
description: |
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2.
Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges.
These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets.
CVE-2025-5054: Information leak via core dumps from SUID binaries using apport.
CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
references:
- https://nvd.nist.gov/vuln/detail/CVE-2025-5054
- https://nvd.nist.gov/vuln/detail/CVE-2025-4598
- https://blog.qualys.com/vulnerabilities-threat-research/2025/05/29/qualys-tru-discovers-two-local-information-disclosure-vulnerabilities-in-apport-and-systemd-coredump-cve-2025-5054-and-cve-2025-4598
author: Milad Cheraghi
date: 2026-04-28
tags:
- attack.privilege-escalation
- attack.credential-access
- attack.t1548
- attack.t1003
- cve.2025-5054
- cve.2025-4598
- detection.emerging-threats
logsource:
product: linux
category: process_creation
detection:
selection_suid_dumpable_sysctl:
Image|endswith:
- '/sbin/sysctl'
- '/bin/sysctl'
CommandLine|contains: 'fs.suid_dumpable='
selection_echo_proc_write:
Image|endswith:
- '/bin/bash'
- '/bin/sh'
CommandLine|contains:
- 'echo 1 > /proc/sys/fs/suid_dumpable'
- 'echo 2 > /proc/sys/fs/suid_dumpable'
- 'echo 1 >/proc/sys/fs/suid_dumpable'
- 'echo 2 >/proc/sys/fs/suid_dumpable'
- 'echo 1> /proc/sys/fs/suid_dumpable'
- 'echo 2> /proc/sys/fs/suid_dumpable'
- 'echo 1>/proc/sys/fs/suid_dumpable'
- 'echo 2>/proc/sys/fs/suid_dumpable'
condition: 1 of selection_*
falsepositives:
- System administrators enabling debugging temporarily
- Legitimate crash diagnostic operations
level: medium
Stages and Predicates
Stage 0: condition
1 of selection_*Stage 1: selection_suid_dumpable_sysctl
selection_suid_dumpable_sysctl:
Image|endswith:
- '/sbin/sysctl'
- '/bin/sysctl'
CommandLine|contains: 'fs.suid_dumpable='
Stage 2: selection_echo_proc_write
selection_echo_proc_write:
Image|endswith:
- '/bin/bash'
- '/bin/sh'
CommandLine|contains:
- 'echo 1 > /proc/sys/fs/suid_dumpable'
- 'echo 2 > /proc/sys/fs/suid_dumpable'
- 'echo 1 >/proc/sys/fs/suid_dumpable'
- 'echo 2 >/proc/sys/fs/suid_dumpable'
- 'echo 1> /proc/sys/fs/suid_dumpable'
- 'echo 2> /proc/sys/fs/suid_dumpable'
- 'echo 1>/proc/sys/fs/suid_dumpable'
- 'echo 2>/proc/sys/fs/suid_dumpable'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
Image | ends_with |
|