CVE-2025-32463 Privilege Escalation in SUDO Triggers Urgent Linux Patching
Threat Group: General Operating System Threat
Threat Type: Privilege Escalation Vulnerabilities
Exploited Vulnerabilities: CVE-2025-32462, CVE-2025-32463, CVE-2025-46718
Malware Used: None
Threat Score: π₯ Critical (9.3/10)
Last Threat Observation: July 1 , 2025
Overview
Recent critical vulnerabilities have been identified in the sudo utility and its Rust-based counterpart, sudo-rs, posing significant threats to Unix and Linux systems. CVE-2025-32463 allows for unauthorized root access through the --chroot option, even for unprivileged users not listed in sudoers. CVE-2025-32462 enables host restriction bypass in distributed sudoers environments. CVE-2025-46718 in sudo-rs permits privilege enumeration, aiding attackers in reconnaissance.
These vulnerabilities affect both the standard sudo and the Rust-based sudo-rs implementations. Attackers may gain unauthorized root access, bypass security restrictions, or enumerate privileged users. The flaws were disclosed by security researcher Rich Mirch from Stratascale Cyber Research Unit.
Immediate patching to sudo version 1.9.17p1 or higher and sudo-rs version 0.2.6 or higher is imperative. A robust defense strategy also requires sudoers hardening, enhanced logging and monitoring, and the use of Mandatory Access Control frameworks like SELinux or AppArmor.
Key Details
Delivery Method: Local execution by authenticated users
Target: Unix and Linux systems using affected sudo versions
Functions:
- Unauthorized root shell access
- Host-based rule bypass
- Sudoers privilege enumeration
- Arbitrary command execution as root
- Configuration exploitation via NSS loading
Obfuscation: None required. Exploits involve misuse of command-line flags and crafted configuration files.
Attack Vectors
CVE-2025-32463: A critical flaw in sudo's --chroot option lets unprivileged users gain root by loading a malicious nsswitch.conf and arbitrary shared libraries. It affects versions 1.9.14 through 1.9.17.
CVE-2025-32462: Host restriction bypass via misuse of the -h or --host option. Affects versions 1.8.8 through 1.9.17. The flaw remained in sudo for over a decade.
CVE-2025-46718: Affects sudo-rs versions before 0.2.6. Limited-privilege users can list other usersβ sudo permissions using the -U flag, aiding reconnaissance.
Vendor Advisory and Patch Links
| Vendor | Advisory / Patch URL |
|---|---|
| Ubuntu | https://ubuntu.com/security/notices/USN-7604-1 |
| Debian | https://lists.debian.org/debian-security-announce/2025/msg00116.html |
| Red Hat / Fedora | https://access.redhat.com/errata/RHSA-2025:32463 |
| Alpine Linux | https://security.alpinelinux.org/vuln/CVE-2025-32463 |
| SUSE Linux | https://www.suse.com/security/cve/CVE-2025-32463/ |
| Arch Linux | https://archlinux.org/packages/core/x86_64/sudo/ |
| Gentoo | https://security.gentoo.org/glsa/202507-01 |
Mitigation and Prevention
User Awareness: Educate users on the risks. Prioritize sudo patching and sudoers audits.
Antivirus Protection: Ensure endpoint monitoring tools alert on unexpected sudo behaviors.
Log Monitoring: Monitor syslog and auditd for use of --chroot, --host, and -U flags.
Regular Updates: Patch sudo to 1.9.17p1 or higher. Update sudo-rs to version 0.2.6 or higher.
Sudoers Hardening: Remove unnecessary permissions. Avoid commands in sudoers that spawn shells.
Environment Controls: Keep Defaults env_reset enabled. Use env_keep for exceptions. Enforce secure_path settings.
Authentication Hardening: Avoid !authenticate unless absolutely required. Use requiretty where applicable.
MAC Enforcement: Deploy AppArmor or SELinux to contain privilege escalation attempts.
Auditd Rules: Track changes to sudoers, nsswitch.conf, and root execve activity using auditctl rules.
Risk Assessment
| Vulnerability | CVSS Score | Description |
| CVE-2025-32463 | 9.3 | Root access via unprivileged user using chroot and malicious NSS config |
| CVE-2025-32462 | 2.8 | Host restriction bypass across distributed sudoers rules |
| CVE-2025-46718 | 3.3 | Privilege enumeration in sudo-rs enables targeted attacks |
Conclusion
The sudo vulnerabilities discovered in June 2025 require urgent attention. CVE-2025-32463 represents a critical threat that undermines sudoers-based access control. CVE-2025-32462 enables rule bypass in centralized environments. CVE-2025-46718 in sudo-rs allows enumeration of permissions.
Patch all affected systems immediately. Audit and harden sudoers files. Use auditd and MAC frameworks for layered detection and containment. Treat "low" CVEs as part of a full kill chain. Apply operational best practices including testing, backups, and rollback plans.
Sources
- Ubuntu USN-7604-1: https://ubuntu.com/security/notices/USN-7604-1
- Debian DSA-5759-1: https://lists.debian.org/debian-security-announce/2025/msg00116.html
- Stratascale: https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
- Openwall: https://www.openwall.com/lists/oss-security/2025/06/30/2
- GitHub Advisory for sudo-rs: https://github.com/advisories/GHSA-w9q3-g4p5-5q2r
- SUSE CVE Tracker: https://www.suse.com/security/cve/CVE-2025-32463/
- Red Hat Security Advisory: https://access.redhat.com/errata/RHSA-2025:9978
- Alpine Linux CVE Tracker: https://security.alpinelinux.org/vuln/CVE-2025-32463
- Gentoo Bugzilla: https://bugs.gentoo.org/show_bug.cgi?id=923465