HighPublic exploit

Privilege Escalation in Deepin dde-api-proxy D-Bus Forwarding

IdentifiersCVE-2025-23222CWE-441

CVE-2025-23222 affects Deepin dde-api-proxy through 1.0.19. The proxy runs as a root-privileged system D-Bus service and forwards requests from arbitrary local users to legacy D-Bus methods implemented by backend services. The flaw is that dde-api-proxy performs forwarding without preserving or revalidating the original caller’s authorization context. As a result, backend D-Bus services receive proxied requests as if they originated from root rather than from the unprivileged local user. This breaks the trust boundary between the caller and the privileged service and exposes methods that should not be available to non-root users. Where Polkit authorization is involved, the backend may evaluate the request as coming from an administrative caller, leading to the same privilege-escalation outcome.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

A local unprivileged user can invoke privileged D-Bus methods that are intended to be restricted to root or otherwise authorized administrators. This can result in privilege escalation to administrative or root-equivalent capabilities depending on the exposed backend methods. The provided example indicates that operations rejected when called directly by an unprivileged user can succeed when invoked through the legacy proxy path. In Polkit-mediated cases, authorization decisions may incorrectly treat the caller as admin because the backend sees the request as originating from root.

Mitigation

If you can’t patch tonight, do this now.

Until a fixed package is deployed, reduce exposure by disabling or removing dde-api-proxy where operationally feasible, especially on multi-user systems. Restrict local access to affected systems, audit which legacy D-Bus methods are reachable through the proxy, and harden backend services so they do not rely solely on the proxy’s root identity for authorization. Additional defense-in-depth measures include tightening D-Bus policy for the proxy-exposed interfaces and reviewing Polkit rules associated with affected backend services.

Remediation

Patch, then assume compromise.

Upgrade dde-api-proxy to a fixed version later than 1.0.19 if available from the vendor. The vulnerable design should be corrected so that proxied D-Bus requests do not cause backend services to trust the proxy’s root identity as the original caller. Remediation should include enforcing authorization checks in the proxy before forwarding privileged methods, propagating and validating the real caller identity where supported, and restricting or removing access to legacy proxied methods that expose privileged functionality to untrusted local users.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

arstechnica securityNews

Mar 6, 2026

Feds take notice of iOS vulnerabilities exploited under mysterious circumstances - Ars Technica

An iOS exploit-chain vulnerability referenced as used by a surveillance-vendor customer; noted as already patched well before observed use.

u1f383 githubNews

May 25, 2025

DBus and Polkit Introduction | Blog

A privilege escalation vulnerability in Deepin's dde-api-proxy where a root-running D-Bus proxy forwards legacy interface requests to backend services without preserving or revalidating the original caller's authorization, causing backend services to treat unprivileged requests as if they came from root.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-23222

NVD

nvd.nist.gov/vuln/detail/CVE-2025-23222

MITRE CWE · CWE-441

cwe.mitre.org

bugzilla.suse.com

bugzilla.suse.com/show_bug.cgi?id=1229918

security.opensuse.org

security.opensuse.org/2025/01/24/dde-api-proxy-privilege-escalation.html

openwall.com

openwall.com/lists/oss-security/2025/01/24/3