Cybersecurity researchers at Stratascale have uncovered two critical vulnerabilities in the widely-used sudo utility that enable local attackers to gain root privileges on vulnerable systems. The discovery is particularly concerning as one vulnerability remained hidden in the codebase for over 12 years, demonstrating the persistent nature of security flaws in essential system components.
Understanding the Discovered Vulnerabilities
The first vulnerability, CVE-2025-32462, carries a CVSS score of 2.8 and affects all sudo versions prior to 1.9.17p1. This security flaw emerges when using sudoers files with host specifications that are neither the current host nor the ALL value. The vulnerability stems from the -h (host) option introduced in September 2013, originally designed to list user sudo privileges on remote hosts.
The critical aspect of this vulnerability lies in the fact that the -h option functioned beyond its intended scope with the list command (-l), also working during command execution. This behavior allows attackers to execute any commands permitted on remote hosts directly on the local machine, creating significant security risks for organizations utilizing shared sudoers files or LDAP-based systems.
High-Severity CVE-2025-32463 Vulnerability
The second vulnerability, CVE-2025-32463, presents a more severe threat with a CVSS score of 9.3. This critical flaw involves the sudo -R (chroot) option and enables any local unprivileged user to escalate their privileges to root level access.
The exploitation mechanism relies on deceiving sudo into loading arbitrary shared libraries. Attackers can create a malicious /etc/nsswitch.conf configuration file within a user-specified root directory, resulting in the execution of malicious code with elevated privileges. This technique bypasses traditional security controls and grants unauthorized administrative access.
Default Configuration Vulnerability
According to Stratascale’s research findings, sudo configurations are vulnerable by default. The exploitation of this vulnerability requires no special sudoers file rules for specific users, meaning virtually any system with sudo installed could be susceptible to attack. This widespread exposure amplifies the potential impact across Linux and Unix-like systems globally.
Security Patches and Remediation Efforts
Sudo maintainer Todd Miller acknowledged the severity of these security issues and implemented comprehensive fixes. In a decisive security measure, the chroot option will be completely removed from future sudo releases, as user-specified root directory support has been deemed inherently dangerous for system security.
The vulnerability disclosure occurred on April 1, 2025, with rapid remediation in Sudo version 1.9.17p1 released in late March. Linux distribution maintainers have promptly issued security bulletins and updates, recognizing sudo’s integral role in Unix-like system administration and security frameworks.
Implementation of Security Measures
System administrators should immediately update sudo to version 1.9.17p1 or later to mitigate these security risks. Organizations using shared sudoers files or LDAP-based configurations, including SSSD implementations, require particular attention during the update process to ensure comprehensive protection.
Regular security auditing of critical system components becomes essential following this incident. The fact that one vulnerability persisted undetected for over a decade highlights the complexity of identifying hidden threats in widely-deployed software and underscores the invaluable contribution of independent security research to the cybersecurity ecosystem.
This discovery serves as a critical reminder that even the most trusted and fundamental system utilities can harbor serious security vulnerabilities. Organizations must prioritize timely security updates and maintain robust patch management processes to protect against privilege escalation attacks and maintain system integrity in an evolving threat landscape.
