Cybersecurity researchers have disclosed two security flaws in the Sudo command-line utility for Linux and Unix-like operating systems that could enable local attackers to escalate their privileges to root on susceptible machines.
A brief description of the vulnerabilities is below -
- CVE-2025-32462 (CVSS score: 2.8) - Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines
- CVE-2025-32463 (CVSS score: 9.3) - Sudo before 1.9.17p1 allows local users to obtain root access because "/etc/nsswitch.conf" from a user-controlled directory is used with the --chroot option
Sudo is a command-line tool that allows low-privileged users to run commands as another user, such as the superuser. By executing instructions with sudo, the idea is to enforce the principle of least privilege, permitting users to carry out administrative actions without the need for elevated permissions.
The command is configured through a file called "/etc/sudoers," which determines "who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands."
Stratascale researcher Rich Mirch, who is credited with discovering and reporting the flaws, said CVE-2025-32462 has managed to slip through the cracks for over 12 years. It is rooted in the Sudo's "-h" (host) option that makes it possible to list a user's sudo privileges for a different host. The feature was enabled in September 2013.
However, the identified bug made it possible to execute any command allowed by the remote host to be run on the local machine as well when running the Sudo command with the host option referencing an unrelated remote host.
"This primarily affects sites that use a common sudoers file that is distributed to multiple machines," Sudo project maintainer Todd C. Miller said in an advisory. "Sites that use LDAP-based sudoers (including SSSD) are similarly impacted."
CVE-2025-32463, on the other hand, leverages Sudo's "-R" (chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file. It's also a critical-severity flaw.
"The default Sudo configuration is vulnerable," Mirch said. "Although the vulnerability involves the Sudo chroot feature, it does not require any Sudo rules to be defined for the user. As a result, any local unprivileged user could potentially escalate privileges to root if a vulnerable version is installed."
In other words, the flaw permits an attacker to trick sudo into loading an arbitrary shared library by creating an "/etc/nsswitch.conf" configuration file under the user-specified root directory and potentially run malicious commands with elevated privileges.
Miller said the chroot option will be removed completely from a future release of Sudo and that supporting a user-specified root directory is "error-prone."
Following responsible disclosure on April 1, 2025, the vulnerabilities have been addressed in Sudo version 1.9.17p1 released late last month. Advisories have also been issued by various Linux distributions, since Sudo comes installed on many of them -
- CVE-2025-32462 - AlmaLinux 8, AlmaLinux 9, Alpine Linux, Amazon Linux, Debian, Gentoo, Oracle Linux, Red Hat, SUSE, and Ubuntu
- CVE-2025-32463 - Alpine Linux, Amazon Linux, Debian, Gentoo, Red Hat, SUSE, and Ubuntu
Users are advised to apply the necessary fixes and ensure that the Linux desktop distributions are updated with the latest packages.