What are the two security vulnerabilities discovered in the Sudo utility?

The Stratascale Cyber Research Unit discovered two security vulnerabilities in the Sudo utility: CVE-2025-32463 (CVSS score 9.3), a critical severity local privilege escalation vulnerability via the chroot option, and CVE-2025-32462 (CVSS score 2.8), a local privilege escalation vulnerability via the host option. Both can result in local privilege escalation to root on affected Linux systems.

What is the Sudo utility and why are these vulnerabilities significant?

The Sudo utility serves as a cornerstone of Linux security, allowing permitted users to execute commands as the superuser while maintaining an audit trail and implementing the principle of least privilege. These vulnerabilities are significant because they can completely circumvent these security controls, allowing unprivileged users to escalate their privileges to root access.

How does the CVE-2025-32463 chroot vulnerability work?

CVE-2025-32463 allows attackers to leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. The exploit process involves creating a temporary directory structure containing a crafted nsswitch.conf file and a malicious shared library. When executing sudo with the -R option pointing to this directory, the system loads the attacker's library during NSS operations, resulting in immediate root access.

What Sudo versions are affected by the chroot vulnerability?

The chroot vulnerability (CVE-2025-32463) affects Sudo versions 1.9.14 to 1.9.17 inclusive. This is a relatively recent range of versions but still represents a significant number of current Linux installations.

How does the nsswitch.conf exploitation technique work?

The exploitation works by manipulating the nsswitch.conf file. Normally, this file contains entries like 'passwd: files ldap' where the source name (ldap) translates to a shared library path (libnss_ldap.so). An attacker can create their own nsswitch.conf file with an entry like 'passwd: /mycode', which translates to loading a malicious library 'libnss_/mycode.so.2' that they control.

What is the CVE-2025-32462 host option vulnerability?

CVE-2025-32462 affects sudo's host (-h or --host) option, which is intended to be used in conjunction with the list option (-l or --list) to list a user's sudo privileges on a host other than the current one. This vulnerability can be exploited for local privilege escalation, though it has a lower CVSS score of 2.8 compared to the chroot vulnerability.

What Sudo versions are affected by the host option vulnerability?

The host option vulnerability (CVE-2025-32462) affects Sudo versions 1.8.8 to 1.9.17 inclusive, spanning over a decade of releases. This makes it a much more widespread vulnerability affecting many more systems than the chroot vulnerability.

How can organizations fix these Sudo vulnerabilities?

The bugs are fixed in sudo 1.9.17p1. Organizations should upgrade to this version or later to address both vulnerabilities. This is the recommended solution to protect against both CVE-2025-32463 and CVE-2025-32462.

Who discovered these Sudo vulnerabilities?

These security vulnerabilities were discovered and reported by the Stratascale Cyber Research Unit (CRU), a cybersecurity research team that specializes in identifying security flaws in widely-used system utilities.

How critical are these Sudo vulnerabilities?

CVE-2025-32463 is considered critical with a CVSS score of 9.3, as it allows unprivileged users to easily escalate to root access. CVE-2025-32462 has a lower CVSS score of 2.8 but still represents a significant security risk. Both vulnerabilities completely circumvent Sudo's security controls.

What makes the chroot vulnerability particularly dangerous?

The chroot vulnerability is particularly dangerous because the exploit process is remarkably straightforward and allows attackers to run arbitrary commands as root even if they are not listed in the sudoers file. This completely bypasses the fundamental access control mechanism that Sudo is designed to provide.

Are there any temporary mitigation measures for these Sudo vulnerabilities?

While the primary recommendation is to upgrade to sudo 1.9.17p1 or later, organizations could potentially restrict access to the sudo command or disable specific options if immediate patching is not possible. However, upgrading to the patched version is the most effective and recommended solution.

What is the impact of successful exploitation of these vulnerabilities?

Successful exploitation of either vulnerability results in local privilege escalation to root access on affected Linux systems. This means an attacker with limited user access can gain complete administrative control over the system, potentially compromising all data and services on the affected machine.

Advisory

Critical Sudo vulnerabilities enable local privilege escalation to root

published: July 1, 2025

Take action: This is a nasty flaw. If you have multiple user roles on your linux systems or are running services as non-root, make sure to update your Linux systems' Sudo utility to version 1.9.17p1 or later. The exploit vector is possible if someone already has local access to the system, which can either be through direct credentials or through breaching a vulnerable service that's running as non-root.

Learn More

The Stratascale Cyber Research Unit (CRU) is reporting two security vulnerabilities in the widely-used Sudo utility that can result in local privilege escalation to root on affected Linux systems.

The Sudo utility serves as a cornerstone of Linux security, allowing permitted users to execute commands as the superuser while maintaining an audit trail and implementing the principle of least privilege. However, the discovered vulnerabilities can completely circumvent these security controls, allowing unprivileged users to escalate their privileges to root access.

Vulnerabilities summary

CVE-2025-32463 (CVSS score 9.3) - a critical severity local privilege escalation vulnerability via the chroot option. It allows attackers to leverage sudo's -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. This vulnerability affects Sudo versions 1.9.14 to 1.9.17 inclusive.
- The exploit process is remarkably straightforward. An attacker can create a temporary directory structure containing a crafted nsswitch.conf file and a malicious shared library. When executing sudo with the -R option pointing to this directory, the system loads the attacker's library during NSS operations, resulting in immediate root access.
- The standard nsswitch.conf file looks like this:
- ```
passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files ldap
```
- When reading the nsswitch.conf file is that the name of the source is also used as part of the path for a shared object (library). For example, the above ldap source translates to libnss_ldap.so. When an NSS function uses the ldap source, the library is loaded.
- If an attacker creates their own nsswitch.conf file with something like this:
- ```
passwd:         /mycode
```
- this is translated to loading a library libnss_/mycode.so.2, which can be malicious.
CVE-2025-32462 (CVSS score 2.8) - a local privilege escalation vulnerability via the host option. It affects sudo's host (-h or --host) option, which is intended to be used in conjunction with the list option (-l or --list) to list a user's sudo privileges on a host other than the current one. It affects Sudo versions 1.8.8 to 1.9.17 inclusive are affected, spanning over a decade of releases.

The vulnerabilities affect all Linux systems running vulnerable versions of Sudo. Exploitation of CVE-2025-32463 has been verified on Ubuntu 24.04.1 with Sudo versions 1.9.15p5 and 1.9.16p2, as well as on Fedora 41 Server with Sudo 1.9.15p5.

The bugs are fixed in sudo 1.9.17p1. Organizations should upgrade to this version or later to address both vulnerabilities.

Critical Sudo vulnerabilities enable local privilege escalation to root

Read More
Critical authentication bypass flaw in HCL BigFix WebUI …
Flowise low coding platform vulnerable to pre-authentication arbitrary …
VMware fixes high-severity code execution flaw in VMware …
SAP releases December 2024 patches for 16 flaws, …
Critical actively exploited flaw in WatchGuard Fireware OS …