Full Report
Hackers are actively exploiting a critical vulnerability (CVE-2025-32463) in the sudo package that enables the execution of commands with root-level privileges on Linux operating systems. [...]
Analysis Summary
# Vulnerability: Critical Linux Sudo Privilege Escalation (CVE-2025-32463)
## CVE Details
- CVE ID: CVE-2025-32463
- CVSS Score: 9.3 (Critical)
- CWE: Inclusion of functionality from untrusted control sphere (Implied based on CISA description)
## Affected Systems
- Products: Linux Sudo Package
- Versions: 1.9.14 through 1.9.17
- Configurations: Impacts default configurations where the flaw can be exploited without the user being explicitly listed in the `sudoers` file.
## Vulnerability Description
This critical vulnerability resides in the `sudo` package when utilizing the `-R` or `--chroot` option. A local attacker can successfully leverage this feature to execute arbitrary commands with root privileges, even if the attacker is not authorized in the `/etc/sudoers` file. The flaw allows the inclusion of functionality from an untrusted control sphere, leading to unauthorized privilege escalation. The vulnerability has existed since version 1.9.14, released in June 2023.
## Exploitation
- Status: Exploited in the wild (Added to CISA KEV catalog)
- Complexity: Low
- Attack Vector: Local
## Impact
- Confidentiality: High (Root access allows access to all system data)
- Integrity: High (Root access allows modification or destruction of system data)
- Availability: High (Root access allows system compromise or shutdown)
## Remediation
### Patches
- Patches are available from the Sudo maintainers (Consult official Sudo security advisories for specific fixed versions addressing 1.9.14 - 1.9.17).
### Workarounds
- CISA has advised federal agencies to apply official mitigations or discontinue the use of `sudo` by October 20 (Date context-dependent).
- Organizations should prioritize patching based on CISA KEV guidance.
## Detection
- Indicators of Compromise: Search system logs for unexpected or unauthorized execution of commands via `sudo` utilizing the `-R` or `--chroot` options, especially for non-authorized users.
- Detection methods and tools: Monitor system calls and process execution logs for root-level activity initiated by low-privilege accounts attempting privilege escalation.
## References
- Vendor Advisories: Sudo security advisories (https://www.sudo.ws/security/advisories/)
- CISA Catalog: CISA Known Exploited Vulnerabilities Catalog entry for CVE-2025-32463 (https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- Proof-of-Concept: GitHub repository containing PoC code (https://github.com/mirchr/CVE-2025-32463-sudo-chwoot/blob/main/sudo-chwoot.sh)