What are the latest Sudo vulnerabilities (CVE-2025-32462 and CVE-2025-32463), and how do they let local users gain root access on Linux?

Sudo, a powerful tool for privilege management on Linux and Unix systems, has been found to contain two serious vulnerabilities that can allow local users to gain unauthorized root access. These flaws, discovered by cybersecurity researcher Rich Mirch and disclosed on July 4, 2025, could affect thousands of systems if left unpatched.

Both vulnerabilities are present in Sudo versions before 1.9.17p1, which is used widely in major Linux distributions like Ubuntu, Red Hat, Debian, and AlmaLinux.

Let’s break down what these flaws are, how they work, and how you can protect your systems.

What is Sudo and Why Is It Important?

Sudo stands for “Superuser Do”, and it allows regular users to execute administrative tasks as another user — usually root. It helps enforce the principle of least privilege in Linux systems.

Sudo’s behavior is controlled by the file /etc/sudoers, which defines:

• Which users can run what commands

• As which other users (like root)

• On which machines

  
  

• With or without password prompts

The Two Critical Sudo Vulnerabilities

Let’s examine each vulnerability in more detail.

 CVE-2025-32462 – Host Misconfiguration Vulnerability

• What It Does: Allows users to run commands intended for a different host on the current local machine.

• Root Cause: A bug in the -h (host) flag behavior, present since 2013.

• Who Is Affected: Environments using a shared sudoers file across multiple machines, especially those using LDAP-based sudoers like SSSD.

• Risk Level: Moderate; requires specific configuration.

“This vulnerability has gone unnoticed for more than 12 years,” says Rich Mirch. “It allows misrouted permissions when host rules aren’t properly enforced.”

 CVE-2025-32463 – chroot Misuse Leads to Root Privilege Escalation

• What It Does: Allows any local user to gain root privileges, even without being defined in the sudoers file.

• How It Works: Exploits the --chroot (-R) option by crafting a fake /etc/nsswitch.conf inside a user-controlled directory. This tricks Sudo into loading a malicious shared library.

• Risk Level: High (CVSS 9.3)

• Impact: Default configurations are vulnerable, no sudoer rule is required.

“It’s a serious misbehavior of the chroot feature. Even default sudo setups can be exploited,” warns Mirch.

 How to Fix the Vulnerabilities

The good news? Patches are already available.

• Sudo Version 1.9.17p1 fixes both issues.

• Distributions Issuing Advisories:

  • CVE-2025-32462: AlmaLinux 8 & 9, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE, Ubuntu

  • CVE-2025-32463: Alpine Linux, Amazon Linux, Debian, Gentoo, Red Hat, SUSE, Ubuntu

 Recommended Actions

 Sudo’s Future: chroot Option to Be Removed

The chroot functionality is now considered too risky. Sudo maintainer Todd C. Miller announced that the option will be completely removed in a future release:

“Supporting a user-specified root directory is error-prone and opens up critical risks.”

 Why These Flaws Matter for Cybersecurity

Sudo is installed by default on almost all Linux systems — desktops, servers, and even IoT devices. That makes it a prime target for attackers looking to escalate privileges once inside a machine.

These vulnerabilities show:

• Even mature, trusted tools like Sudo can hide critical bugs.

• A single misconfiguration or overlooked patch can lead to full system compromise.

• Default installations are not always safe — configuration matters.

At a Glance

Conclusion

These vulnerabilities are a clear reminder that local privilege escalation still poses major threats — especially when tools like Sudo are misconfigured or outdated.

If you’re a system administrator, developer, or cybersecurity analyst, take action now:

• Patch Sudo immediately

• Review your sudoers setup

• Avoid using risky features like chroot

Small oversights can have big consequences, and in a world where attackers constantly probe for weak spots, proactive patching is your best defense.

FAQs

What is CVE-2025-32462 in Sudo?

It’s a vulnerability that lets users run commands intended for another host on the local system due to host misconfigurations in shared sudoers files.

What is CVE-2025-32463 in Sudo?

This flaw allows local users to gain root access by abusing the --chroot option and loading malicious config files from user-controlled directories.

What is the CVSS score of CVE-2025-32463?

CVE-2025-32463 has a CVSS score of 9.3, marking it as a critical severity vulnerability.

How does CVE-2025-32463 allow root access?

By exploiting how Sudo loads /etc/nsswitch.conf, attackers can inject malicious libraries and execute code with root privileges.

Which Sudo versions are affected by these vulnerabilities?

All versions before 1.9.17p1 are affected by both CVE-2025-32462 and CVE-2025-32463.

Has a patch been released for these Sudo vulnerabilities?

Yes, Sudo version 1.9.17p1 addresses both vulnerabilities and is available for download.

Which Linux distributions are affected?

Ubuntu, Red Hat, Debian, SUSE, Alpine Linux, AlmaLinux, Amazon Linux, Oracle Linux, and more.

Can these vulnerabilities be exploited remotely?

No, these are local privilege escalation vulnerabilities, meaning the attacker needs local access.

Does the attacker need to be in the sudoers file?

Not for CVE-2025-32463. Even users not listed in the sudoers file can exploit this flaw using chroot.

How long has CVE-2025-32462 been present in Sudo?

It has existed for over 12 years, since the host feature was introduced in 2013.

What is the --chroot option in Sudo?

It allows commands to run in a different root directory. This feature is now considered insecure and will be removed.

Should organizations stop using the chroot feature?

Yes. Developers have confirmed the --chroot option will be removed due to its risks.

How can I check my current Sudo version?

Run sudo -V in the terminal to see your installed version.

How do I update Sudo on Ubuntu?

Use sudo apt update && sudo apt install sudo to get the latest patched version.

What is /etc/nsswitch.conf used for?

It defines how Linux resolves hostnames, users, and groups — attackers misuse it in this exploit.

Why is this vulnerability so dangerous?

It affects default Sudo setups and allows unprivileged users to get full root access.

Who discovered these Sudo flaws?

The vulnerabilities were found by Rich Mirch, a researcher at Stratascale.

Is Sudo safe to use now?

Yes, as long as you are using version 1.9.17p1 or later with updated configs.

What systems should be patched first?

Patch all internet-facing and multi-user Linux systems, including production servers and DevOps machines.

Can attackers use this to install malware?

Yes, with root access, attackers can install persistent malware or create backdoors.

What is a sudoers file?

It’s the /etc/sudoers config file that defines who can run what commands on which machines.

Can LDAP-based sudoers be affected?

Yes, shared LDAP sudoers configurations are also vulnerable to CVE-2025-32462.

Is this flaw related to remote execution?

No, both vulnerabilities are related to local privilege escalation only.

How do I verify if my system is vulnerable?

Check your sudo version and whether you use -h or --chroot features.

What logs should I check after suspected exploitation?

Look at /var/log/auth.log and sudo command histories to detect unusual activity.

Will security tools detect this attack?

Only if they are configured to monitor for chroot misuse or sudo privilege escalation.

What can I do to limit sudo abuse?

Limit sudoers file permissions, disable chroot, and monitor sudo logs closely.

Will future versions of Sudo remove risky features?

Yes, the chroot option will be removed to prevent further misuse.

Are container-based environments affected?

If they use vulnerable sudo versions inside containers, then yes.