The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned that attackers are actively exploiting CVE-2025-32463, a critical flaw in sudo—the ubiquitous utility for executing commands with superuser privileges on Linux. The vulnerability carries a CVSS score of 9.3 and enables local privilege escalation to root on affected systems.
What happened: affected versions and exploitation status
Researchers at Stratascale identified the issue in mid-2025, confirming impact on sudo versions prior to 1.9.17p1. CISA states the bug is being used in real-world attacks. While the agency did not disclose case details, the combination of a publicly available proof-of-concept (PoC) and broad Linux adoption makes rapid remediation essential for enterprise and government environments.
How CVE-2025-32463 works: sudo -R, chroot, and NSS injection
The flaw arises when sudo is invoked with the -R option (user-specified chroot). If an attacker can point sudo at a directory they control, and that directory contains a crafted /etc/nsswitch.conf, the system’s name service switch (glibc NSS) may load an arbitrary NSS module from within that path. Because sudo runs with elevated privileges, this behavior can lead to arbitrary code execution as root.
Why default configurations are exposed
Importantly, exploitation does not require special sudoers entries for a target user. Any local, unprivileged user who can run sudo with -R on a vulnerable build can potentially escalate privileges. This significantly lowers the barrier for insiders and post-compromise actors who already have a local foothold.
Risk and impact across Linux distributions
With a CVSS 9.3 rating and near-universal distribution of sudo across Linux servers and workstations, the attack surface is extensive. Public PoCs reduce the skill required to weaponize the issue, making it attractive to ransomware operators, red teams, and opportunistic threat actors. Historically, high-profile sudo flaws such as CVE-2021-3156 (Baron Samedit) demonstrated how quickly local privilege escalations can be incorporated into attack chains once reliable exploits circulate.
Upstream response: changes in sudo’s roadmap
Todd C. Miller, the maintainer of sudo, has indicated plans to remove chroot support in future releases, citing hard-to-defend complexity around user-controlled roots and dynamic library loading paths. This aligns with a broader strategy in secure software engineering: retiring risky code paths that repeatedly introduce subtle, high-impact bugs.
Mitigation and detection: what administrators should do now
Patch immediately. Update sudo to 1.9.17p1 or later via your distribution’s security repositories. If a patched package is unavailable, prioritize systems where untrusted users can execute sudo.
Avoid sudo -R (chroot). Disable or prohibit workflows that rely on sudo -R, especially in CI/CD, maintenance scripts, or multi-tenant environments where users can influence directory contents.
Harden NSS and library loading. Monitor for unauthorized changes to /etc/nsswitch.conf; restrict or alert on nonstandard NSS modules. Enforce integrity controls and policy-based whitelisting for shared libraries to prevent loading of unsigned or untrusted modules.
Enhance logging and detection. Increase audit coverage for sudo invocations, chroot events, and dynamic library loads. Feed signals into SIEM for correlation with privilege escalation patterns (e.g., anomalous use of sudo -R, unexpected NSS module paths).
Tighten access policies. Apply least privilege to sudo access, reduce membership in administrative groups, enforce MFA for privileged operations, and segment admin workstations to reduce lateral movement risk.
Active exploitation of CVE-2025-32463 underscores a recurring lesson: foundational admin tools are prime targets once a local foothold is obtained. Organizations should fast-track patches, remove reliance on sudo -R, and strengthen monitoring around NSS and library loading paths. Staying current with CISA advisories and distribution security bulletins will reduce exposure windows and help prevent privilege escalation from becoming full system compromise.
