Cybersecurity researchers have disclosed two security flaws in SUDO command line utilities in operating systems like Linux and UNIX, allowing local attackers to escalate the privileges of rooting sensitive machines.
A brief explanation of the vulnerability can be found below:
- CVE-2025-32462 (CVSS score: 2.8) – Use in a sudoers file that specifies sudo before 1.9.17p1, not current host or all hosts, allowing the listed users to run commands on unintended machines
- CVE-2025-32463 (CVSS score: 9.3) – In sudo before 1.9.17p1, the user-controlled directory “/etc/nsswitch.conf” is used with the -chroot option, allowing local users to get root access.
Sudo is a command line tool that allows you to run commands as another user, such as a superuser. By implementing instructions in SUDO, the idea is to implement the minimum principle of privilege and allow users to take administrative measures without the need to increase their authority.
The command is configured through a file called “/etc/sudoers” that determines “the person who can determine which machine user can run the command and controls special things like whether a particular command requires a password.”
Stratascale researcher Rich Mirch is acknowledged to have discovered and reported the defect, saying CVE-2025-32462 was able to slip through the crack for more than 12 years. This is rooted in the sudo’s “-H” (host) option, which allows you to list sudo privileges for users on different hosts. This feature was enabled in September 2013.
However, the identified bug allowed the remote host to execute the allowed commands on the local machine.
“This primarily affects sites that use common sudoers files distributed to multiple machines,” Sudo Project Maintenance Todd C. Miller said in an advisory. “Sites that use LDAP-based sudoers (including SSSDs) will be similarly affected.”
CVE-2025-32463, on the other hand, takes advantage of sudo’s “-r” (chroot) option to run the arbitraryary command as root, even if it is not listed in the sudoers file. It is also a flaw in severity.
“The default sudo configuration is vulnerable,” says Mirch. “The vulnerability includes the sudo chroot feature, but there is no need to define sudo rules for users. As a result, local, unlucky users could potentially escalate their permissions if a vulnerable version is installed.”
In other words, this flaw causes the attacker to load arbitrary shared libraries by creating a “/etc/nsswitch.conf” configuration file under the user-specified root directory and running a potentially highly privileged malicious command.
Miller said that the Chroot option will be removed entirely from a future release of Sudo, and supporting user-specified root directories is “error prone.”
Following the responsible disclosure on April 1, 2025, the vulnerability is addressed in SUDO version 1.9.17p1, released later last month. Because sudo is installed on many of them, recommendations have also been issued by various Linux distributions –
- CVE-2025-32462 -Almalinux 8,Almalinux 9,Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, Suse, and Ubuntu
- CVE-2025-32463 -Alpine Linux, Amazon Linux, Debian, Gentoo, Red Hat, Suse, and Ubuntu
Users are advised to apply the necessary fixes and ensure that their Linux desktop distribution is updated with the latest packages.
