Description
A local privilege escalation vulnerability (CVE-2025-52923) was detected on the aTrust client for Linux. Sangfor has released an updated version to fix the vulnerability. Affected users can contact technical support at +60 12 711 7511 (7129) to obtain and install the SP.
Affected Versions and Remediation Solutions
| Product Name | Affected Versions | Solution |
|---|---|---|
| aTrust Client | aTrust clients 2.3.10.60-2.5.10.32 on Linux, including China-made Linux systems and Ubuntu systems (Clients on Ubuntu 2.4.10 and later are unaffected because they do not have the EAIO component.) |
Upgrade client to aTrust 2.5.16.10 or later. |
Impact
Attackers can escalate the privileges of an ordinary local user to root privileges on Linux systems where aTrust clients with the vulnerability are installed.
Vulnerability Rating
Base score: 4.3 (AV:L/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N)
Temporal score: 4.0 (E:F/RL:O/RC:C)
The scores are calculated according to the CVSS 3.1 standard. For details, see https://www.first.org/cvss/calculator/3.1
Vulnerability Details
Due to the misconfiguration of the eaio_service.service configuration file, attackers who have obtained ordinary local user privileges can tamper with the ExecStartPre parameter in the configuration file and inject malicious commands to escalate the ordinary local user privileges to root privileges.
Risk Prevention Measure
Execute the following command on devices installed with the aTrust client to restrict write permissions on the configuration file:
sudo chmod 644 /lib/systemd/system/eaio_service.service
Obtaining the SP
You can obtain the service pack (SP) by contacting global technical support at +60 12 711 7511 (7129) or tech.support@sangfor.com. You can also contact local technical support to obtain the SP. For contact information, please visit https://www.sangfor.com/support/technical-support
Disclaimer
Any software or service packs referred to on this page is the copyrighted work of Sangfor and/or its suppliers. Except for the purpose of vulnerability fixing, you may not further copy, modify, distribute, publish, license, transfer, sell, or attempt to extract the source code of the software or service pack by decompilation or other means.
This document does not provide any express, implied, or statutory warranties, including but not limited to warranties of merchantability, fitness, and non-infringement. Under no circumstances shall Sangfor Technologies or its direct or indirect subsidiaries be liable for any damages, including direct, indirect, incidental, or consequential loss of business profits and special damages. You shall assume any legal liability arising from your use of this document in any manner. Sangfor reserves the right to modify or update the content and information of this document at any time.
Update History
2025-09-06 V1.0 First release.