HCE1-SA-2025-0024 Critical HCE 1.1 Security Fix(es): A privilege escalation from host to domain vulnerability was found in the FreeIPA project. The FreeIPA package fails to validate the uniqueness of the `krbCanonicalName` for the admin account by default, allowing users to create services with the same canonical name as the REALM admin. When a successful attack happens, the user can retrieve a Kerberos ticket in the name of this service, containing the admin@REALM credential. This flaw allows an attacker to perform administrative tasks over the REALM, leading to access to sensitive data and sensitive data exfiltration. (CVE-2025-4404) HCE 1.1 ipa-client-4.6.8-5.hce1c.18.x86_64.rpm ipa-client-common-4.6.8-5.hce1c.18.noarch.rpm ipa-common-4.6.8-5.hce1c.18.noarch.rpm ipa-server-4.6.8-5.hce1c.18.x86_64.rpm ipa-server-common-4.6.8-5.hce1c.18.noarch.rpm ipa-server-dns-4.6.8-5.hce1c.18.noarch.rpm ipa-server-trust-ad-4.6.8-5.hce1c.18.x86_64.rpm python2-ipaclient-4.6.8-5.hce1c.18.noarch.rpm python2-ipalib-4.6.8-5.hce1c.18.noarch.rpm python2-ipaserver-4.6.8-5.hce1c.18.noarch.rpm