Potential Exploitation of CVE-2025-5054 or CVE-2025-4598

Rule Info

Name
Potential Exploitation of CVE-2025-5054 or CVE-2025-4598
Author
Milad Cheraghi
Description
Detects attempts of an attacker to enable core dumps for set-user-ID (SUID) processes by modifying the system file /proc/sys/fs/suid_dumpable, typically by setting its value to 1 or 2. Enabling this feature allows memory dumps (core dumps) of SUID processes, which usually run with elevated privileges. These dumps may contain sensitive information such as passwords, cryptographic keys or other secrets. CVE-2025-5054: Information leak via core dumps from SUID binaries using apport. CVE-2025-4598: Information disclosure in systemd-coredump due to insecure handling of SUID process memory dumps.
Reference
https://nvd.nist.gov/vuln/detail/CVE-2025-5054
Date
2026-04-28 00:00:00
Modified
None
Id
33b3cfb1-574e-44b9-b527-fbf9303b9d7b
Tags
attack.privilege-escalation attack.credential-access attack.t1548 attack.t1003 cve.2025-5054 cve.2025-4598 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=33b3cfb1-574e-44b9-b527-fbf9303b9d7b

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #5966 from @nasbench - Update mitre tags to use attack v19
2026-04-29
34c5d66c2
Milad Cheraghi
Merge PR #5454 from @CheraghiMilad - Add `Potential Exploitation of CVE-2025-5054 or CVE-2025-4598`
2026-04-28
fd33ea32e
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022