CISA warns of active exploitation of critical Sudo flaw
Take action: If you run Linux or Unix systems, check your Sudo version. If it's 1.9.14 or above, plan a quick update to version 1.9.17p1 or newer. Attackers are finding ways to exsploit the flaw to get full root/administrator privileges. If you can't update immediately, severely restrict who can access your systems and run only trusted programs until you can patch.
Learn More
CISA is warning of active exploitation of the widely-used Sudo utility for Linux and Unix-like operating systems.
The vulnerability is tracked as CVE-2025-32463 (CVSS score 9.3), and affects all versions of Sudo prior to 1.9.17p1. The flaw allows any local user to execute arbitrary commands with root privileges even if they are not explicitly authorized in the sudoers configuration file.
Successful exploitation requires systems that support /etc/nsswitch.conf, as attackers must create an /etc/nsswitch.conf file under a user-specified root directory and then use the chroot feature to trick Sudo into loading it.
The flaw was introduced in 2023 with Sudo version 1.9.14 and remained undetected for over a year before being identified. The vulnerability was patched in June 2025 with the release of Sudo version 1.9.17p1, which deprecated the chroot feature and removed the option to run commands with a user-selected root directory.
Despite the availability of patches for several months, proof-of-concept exploits have been publicly available since July 2025, making it trivial for attackers to weaponize the vulnerability.
CISA strongly urges all organizations to update their sudo tool. Organizations that cannot immediately patch should implement compensating controls such as restricting network access.
