Cybersecurity researchers have uncovered two vulnerabilities in the Sudo command-line tool used on Linux and Unix-like systems that could allow local users to escalate their privileges to root on affected machines.
The two flaws, which have been patched in version 1.9.17p1 of Sudo, are:
CVE-2025-32462 (CVSS score: 2.8)
This vulnerability impacts versions of Sudo prior to 1.9.17p1 when the sudoers file includes a host that is neither the current machine nor set to "ALL." Under these conditions, authorized users may be able to execute commands on machines they were not intended to access.
Sudo configurations are controlled through the /etc/sudoers file, which determines which users can run specific commands, as which users, and on which hosts. According to Stratascale researcher Rich Mirch, who reported the bug, the issue dates back more than 12 years and involves the -h (host) option. This option, which was added in September 2013, allows users to check their privileges for a different host. However, due to the flaw, users could execute commands permitted on the remote host locally as well.
Todd C. Miller, maintainer of the Sudo project, noted that environments using a shared sudoers file distributed across multiple machines or using LDAP-based sudoers configurations are particularly vulnerable to this bug.
CVE-2025-32463 (CVSS score: 9.3)
This second vulnerability is more severe and involves the -R (chroot) option in Sudo, which allows a command to be run in a different root directory. In this case, attackers could trick Sudo into loading a malicious shared library by creating an nsswitch.conf file under a directory they control. By doing so, they could escalate their privileges to root even without specific Sudo permissions being assigned to their user account.
Mirch pointed out that this flaw affects the default Sudo configuration and does not require any custom rules. Any unprivileged local user could potentially exploit this issue on vulnerable systems.
The Sudo team has stated that the chroot option will be completely removed in future releases, citing its complexity and potential for misuse. The vulnerabilities were responsibly disclosed on April 1, 2025, and patches were made available in version 1.9.17p1 at the end of the month.
Multiple Linux distributions have issued security advisories and updates addressing these flaws:
- CVE-2025-32462: Affects AlmaLinux 8 and 9, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE, and Ubuntu.
- CVE-2025-32463: Affects Alpine Linux, Amazon Linux, Debian, Gentoo, Red Hat, SUSE, and Ubuntu.
Sudo is widely used across Unix-based environments to allow non-privileged users to perform administrative tasks in a controlled manner. These vulnerabilities emphasize the importance of keeping such tools up to date. Users are strongly encouraged to upgrade to the latest version and apply any relevant patches to prevent unauthorized privilege escalation.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
