CVE-2025-32463 Privilege Escalation in SUDO Triggers Urgent Linux Patching

CVE-2025-32463 Privilege Escalation in SUDO Triggers Urgent Linux Patching

Threat Group: General Operating System Threat
Threat Type: Privilege Escalation Vulnerabilities
Exploited Vulnerabilities: CVE-2025-32462, CVE-2025-32463, CVE-2025-46718
Malware Used: None
Threat Score: πŸ”₯ Critical (9.3/10)
Last Threat Observation: July 1 , 2025

Overview

Recent critical vulnerabilities have been identified in the sudo utility and its Rust-based counterpart, sudo-rs, posing significant threats to Unix and Linux systems. CVE-2025-32463 allows for unauthorized root access through the --chroot option, even for unprivileged users not listed in sudoers. CVE-2025-32462 enables host restriction bypass in distributed sudoers environments. CVE-2025-46718 in sudo-rs permits privilege enumeration, aiding attackers in reconnaissance.

These vulnerabilities affect both the standard sudo and the Rust-based sudo-rs implementations. Attackers may gain unauthorized root access, bypass security restrictions, or enumerate privileged users. The flaws were disclosed by security researcher Rich Mirch from Stratascale Cyber Research Unit.

Immediate patching to sudo version 1.9.17p1 or higher and sudo-rs version 0.2.6 or higher is imperative. A robust defense strategy also requires sudoers hardening, enhanced logging and monitoring, and the use of Mandatory Access Control frameworks like SELinux or AppArmor.

Key Details

Delivery Method: Local execution by authenticated users
Target: Unix and Linux systems using affected sudo versions

Functions:

  • Unauthorized root shell access
  • Host-based rule bypass
  • Sudoers privilege enumeration
  • Arbitrary command execution as root
  • Configuration exploitation via NSS loading

Obfuscation: None required. Exploits involve misuse of command-line flags and crafted configuration files.

Attack Vectors

CVE-2025-32463: A critical flaw in sudo's --chroot option lets unprivileged users gain root by loading a malicious nsswitch.conf and arbitrary shared libraries. It affects versions 1.9.14 through 1.9.17.

CVE-2025-32462: Host restriction bypass via misuse of the -h or --host option. Affects versions 1.8.8 through 1.9.17. The flaw remained in sudo for over a decade.

CVE-2025-46718: Affects sudo-rs versions before 0.2.6. Limited-privilege users can list other users’ sudo permissions using the -U flag, aiding reconnaissance.

Vendor Advisory and Patch Links

VendorAdvisory / Patch URL
Ubuntuhttps://ubuntu.com/security/notices/USN-7604-1
Debianhttps://lists.debian.org/debian-security-announce/2025/msg00116.html
Red Hat / Fedorahttps://access.redhat.com/errata/RHSA-2025:32463
Alpine Linuxhttps://security.alpinelinux.org/vuln/CVE-2025-32463
SUSE Linuxhttps://www.suse.com/security/cve/CVE-2025-32463/
Arch Linuxhttps://archlinux.org/packages/core/x86_64/sudo/
Gentoohttps://security.gentoo.org/glsa/202507-01

Mitigation and Prevention

User Awareness: Educate users on the risks. Prioritize sudo patching and sudoers audits.

Antivirus Protection: Ensure endpoint monitoring tools alert on unexpected sudo behaviors.

Log Monitoring: Monitor syslog and auditd for use of --chroot, --host, and -U flags.

Regular Updates: Patch sudo to 1.9.17p1 or higher. Update sudo-rs to version 0.2.6 or higher.

Sudoers Hardening: Remove unnecessary permissions. Avoid commands in sudoers that spawn shells.

Environment Controls: Keep Defaults env_reset enabled. Use env_keep for exceptions. Enforce secure_path settings.

Authentication Hardening: Avoid !authenticate unless absolutely required. Use requiretty where applicable.

MAC Enforcement: Deploy AppArmor or SELinux to contain privilege escalation attempts.

Auditd Rules: Track changes to sudoers, nsswitch.conf, and root execve activity using auditctl rules.

Risk Assessment

VulnerabilityCVSS ScoreDescription
CVE-2025-324639.3Root access via unprivileged user using chroot and malicious NSS config
CVE-2025-324622.8Host restriction bypass across distributed sudoers rules
CVE-2025-467183.3Privilege enumeration in sudo-rs enables targeted attacks

Conclusion

The sudo vulnerabilities discovered in June 2025 require urgent attention. CVE-2025-32463 represents a critical threat that undermines sudoers-based access control. CVE-2025-32462 enables rule bypass in centralized environments. CVE-2025-46718 in sudo-rs allows enumeration of permissions.

Patch all affected systems immediately. Audit and harden sudoers files. Use auditd and MAC frameworks for layered detection and containment. Treat "low" CVEs as part of a full kill chain. Apply operational best practices including testing, backups, and rollback plans.

Sources