Cybersecurity researchers have disclosed two security vulnerabilities in the Sudo command-line utility for Linux and Unix-like operating systems, which could allow local attackers to escalate their privileges to root access on vulnerable machines.
The vulnerabilities are briefly described as follows:
- CVE-2025-32462 (CVSS Score: 2.8) – Sudo versions prior to 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.
- CVE-2025-32463 (CVSS Score: 9.3) – Sudo versions prior to 1.9.17p1 allow local users to gain root access because of the user-controlled directory containing “/etc/nsswitch.conf” used with the –chroot option.
Sudo is a command-line tool that allows low-privilege users to run commands as another user (such as the superuser). The idea behind using sudo to execute commands is to enforce the principle of least privilege, allowing users to perform administrative tasks without needing to elevate their privileges.
The command is configured through a file named “/etc/sudoers”, which determines “who can run which commands as which users on which machines, and also controls special matters such as whether a password is required for specific commands.”
Rich Mirch, a researcher at Stratascale, discovered and reported these vulnerabilities, stating that the CVE-2025-32462 vulnerability has been lurking for over 12 years. The flaw originates from the Sudo “-h” (host) option, which allows users to list their sudo privileges on different hosts. This feature was enabled in September 2013.
However, the discovered bug allows any command permitted by the remote host to be executed on the local machine when running a Sudo command with a host option referencing unrelated remote hosts.
Sudo project maintainer Todd C. Miller stated in a security advisory: “This primarily affects sites that use a common sudoers file distributed across multiple machines. Sites using LDAP-based sudoers (including SSSD) are similarly affected.”
On the other hand, CVE-2025-32463 exploits the Sudo “-R” (chroot) option to run arbitrary commands as root, even if those commands are not listed in the sudoers file. This is also a vulnerability rated as “critical.”
Mirch stated: “The default Sudo configuration is flawed. While this vulnerability involves the Sudo chroot functionality, it does not require any Sudo rules to be defined for the user. Therefore, if a vulnerable version is installed, any local unprivileged user could potentially escalate their privileges to root.”
In other words, the vulnerability allows an attacker to trick sudo into loading arbitrary shared libraries by creating an “nsswitch.conf” configuration file under a user-specified root directory, potentially executing malicious commands with elevated privileges.
Miller indicated that future versions of Sudo will completely remove the chroot option, as supporting user-specified root directories is “error-prone.”
Following the responsible disclosure of these vulnerabilities on April 1, 2025, they have been patched in the Sudo version 1.9.17p1 released at the end of last month. Since many Linux distributions come with Sudo pre-installed, security advisories have also been issued:
- CVE-2025-32462 – AlmaLinux 8, AlmaLinux 9, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE and Ubuntu
- CVE-2025-32463 – Alpine Linux, Amazon Linux, Debian, Gentoo, Red Hat, SUSE and Ubuntu
Users are advised to apply the necessary patches and ensure that their Linux desktop distributions are updated with the latest packages.