CVE Alert: CVE-2025-32463 - Sudo project - Sudo

CVE-2025-32463

CRITICALExploitation active

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the –chroot option.

CVSS v3.1 (9.3)

Vendor

Sudo project

Product

Sudo

Versions

1.9.14 lt 1.9.17p1

CWE

CWE-829, CWE-829 Inclusion of Functionality from Untrusted Control Sphere

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Published

2025-06-30T00:00:00.000Z

Updated

2025-09-27T03:55:21.442Z

References

https://www.sudo.ws/security/advisories/

https://www.sudo.ws/releases/changelog/

https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

https://www.openwall.com/lists/oss-security/2025/06/30/3

https://access.redhat.com/security/cve/cve-2025-32463

https://ubuntu.com/security/notices/USN-7604-1

https://security-tracker.debian.org/tracker/CVE-2025-32463

https://explore.alas.aws.amazon.com/CVE-2025-32463.html

https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32463

https://www.suse.com/support/update/announcement/2025/suse-su-202502177-1/

https://www.suse.com/security/cve/CVE-2025-32463.html

https://www.secpod.com/blog/sudo-lpe-vulnerabilities-resolved-what-you-need-to-know-about-cve-2025-32462-and-cve-2025-32463/

https://www.sudo.ws/security/advisories/chroot_bug/

https://www.vicarius.io/vsociety/posts/cve-2025-32463-detect-sudo-vulnerability

https://www.vicarius.io/vsociety/posts/cve-2025-32463-mitigate-sudo-vulnerability

AI Summary Analysis

Risk verdict

Why this matters

Most likely attack path

Who is most exposed

Detection ideas

Monitor for sudo invocations with –chroot referencing user-writable paths or unexpected changes to /etc/nsswitch.conf in such directories.
Look for sudden spikes in root-equivalent processes or shells spawned from non-root accounts.
Validate installed sudo versions across hosts; flag any not at or beyond the patched 1.9.17p1 release.
Inspect audit logs for anomalous chroot-based sudo usage or privilege escalations.
Watch for modifications to privileged configuration files outside standard OS paths.

Mitigation and prioritisation

Apply vendor patch to 1.9.17p1 or newer on all affected systems; verify patch success.
Restrict or remove use of –chroot in sudo configurations; ensure /etc/nsswitch.conf cannot be sourced from user-writable directories.
Implement strict access controls for directories used in chroot contexts; remove unnecessary sudo privileges via sudoers.
Deploy тестing and change-management steps before broad rollout; plan a rapid patch window due to exploitation activity.
Enhance monitoring and endpoint hardening (AppArmor/SELinux policies, root-claim isolation) to detect and contain post-exploit activity.

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below

Buy Me A Coffee

Patreon

To keep up to date follow us on the below channels.

Tags: CVE, cve-2025-32463, OSINT, sudo, sudo-project, threatintel