Attacking FreeIPA — Part IV: CVE-2020–10747

This report details an offensive assessment of FreeIPA where a misintegration allowed privilege escalation to UID 0: an attacker with 'User Administrators' privileges can create a domain user named 'root', obtain a ticket, and SSH into the local root account—also bypassing HBAC rules. The issue was reported and a patch exists, but Red Hat ultimately revoked CVE-2020-10747 and classified the behavior as expected rather than a security boundary failure; administrators are advised to treat privileged roles as highly sensitive and monitor them closely.