CVE-2025-32463
📋 TL;DR
This vulnerability in Sudo allows local users to escalate privileges to root by exploiting the --chroot option to load a malicious /etc/nsswitch.conf file from a user-controlled directory. It affects systems running vulnerable Sudo versions where users have local access. The high CVSS score reflects the potential for complete system compromise.
💻 Affected Systems
- sudo
📦 What is this software?
Leap by Opensuse
Sudo by Sudo Project
Sudo by Sudo Project
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root privileges, enabling complete system takeover, data theft, persistence installation, and lateral movement.
Likely Case
Privileged local user or attacker with initial foothold escalates to root to install malware, access sensitive data, or bypass security controls.
If Mitigated
With proper access controls and patching, impact is limited to denial of service or minimal privilege escalation if exploit fails.
🎯 Exploit Status
Exploit requires local user access and ability to create/modify files in controlled directory. Proof-of-concept code is publicly available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.17p1
Vendor Advisory: https://access.redhat.com/security/cve/cve-2025-32463
Restart Required: No
Instructions:
1. Update sudo package using system package manager. 2. For RedHat/CentOS: 'sudo yum update sudo'. 3. For Debian/Ubuntu: 'sudo apt update && sudo apt upgrade sudo'. 4. For source installations: Download and compile sudo 1.9.17p1 or later.
🔧 Temporary Workarounds
Restrict chroot usage
linuxLimit sudoers configuration to prevent use of --chroot option by untrusted users
Edit /etc/sudoers to remove or restrict chroot privileges
File permission hardening
linuxSet strict permissions on directories users can control
chmod 755 /home/*
chmod 700 /home/user_controlled_dirs
🧯 If You Can't Patch
- Implement strict sudoers policies to limit --chroot usage to trusted administrators only
- Monitor for suspicious sudo --chroot usage and file creation in user directories
🔍 How to Verify
Check if Vulnerable:
Run 'sudo --version' and check if version is earlier than 1.9.17p1Check Version:
sudo --version | head -1Verify Fix Applied:
After update, verify 'sudo --version' shows 1.9.17p1 or later📡 Detection & Monitoring
Log Indicators:
- sudo logs showing --chroot usage with unusual paths
- Authentication logs showing privilege escalation attempts
Network Indicators:
- Unusual outbound connections from privileged processes
SIEM Query:
source="sudo" AND "--chroot" AND NOT path="/etc/nsswitch.conf"🔗 References
- https://access.redhat.com/security/cve/cve-2025-32463
- https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32463
- https://explore.alas.aws.amazon.com/CVE-2025-32463.html
- https://security-tracker.debian.org/tracker/CVE-2025-32463
- https://ubuntu.com/security/notices/USN-7604-1
- https://www.openwall.com/lists/oss-security/2025/06/30/3
- https://www.secpod.com/blog/sudo-lpe-vulnerabilities-resolved-what-you-need-to-know-about-cve-2025-32462-and-cve-2025-32463/
- https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot
- https://www.sudo.ws/releases/changelog/
- https://www.sudo.ws/security/advisories/
- https://www.sudo.ws/security/advisories/chroot_bug/
- https://www.suse.com/security/cve/CVE-2025-32463.html
- https://www.suse.com/support/update/announcement/2025/suse-su-202502177-1/
- https://www.vicarius.io/vsociety/posts/cve-2025-32463-detect-sudo-vulnerability
- https://www.vicarius.io/vsociety/posts/cve-2025-32463-mitigate-sudo-vulnerability
- https://iototsecnews.jp/2025/07/01/linux-sudo-chroot-vulnerability-enables-hackers-to-elevate-privileges-to-root/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-32463
