Two Critical Sudo Vulnerabilities 
CVE-2025-32463: Sudo Local Privilege Escalation via Malicious /etc/nsswitch.conf in --chroot
Summary:
CVE-2025-32463 is a critical local privilege escalation vulnerability in Sudo versions before 1.9.17p1. It allows a local unprivileged user to gain root access by exploiting how Sudo handles the /etc/nsswitch.conf file when invoked with the --chroot option. Specifically, Sudo mistakenly uses /etc/nsswitch.conf from a user-controlled directory inside the chroot environment, leading to command injection and root access escalation.
Severity:
- CVSS v3 base score: 9.3 (Critical)
- Attack vector: Local
- Privileges required: None
- User interaction: None
- Impact: Full confidentiality, integrity, and availability compromise.
How it works:
When Sudo is run with the --chroot option, it attempts to read /etc/nsswitch.conf inside the chroot directory to configure name service switches. However, if an attacker can control the chroot directory contents, they can supply a malicious /etc/nsswitch.conf file. This crafted file causes Sudo to execute arbitrary commands as root, effectively bypassing all privilege restrictions.
Sample scenario:
- A local attacker creates a directory they control and places a malicious
/etc/nsswitch.confinside it. - They execute Sudo with the
--chrootoption pointing to that directory. - Sudo reads the attacker-controlled
/etc/nsswitch.confand executes embedded commands with root privileges. - The attacker gains full root access on the system.
Mitigation:
- Upgrade Sudo to version 1.9.17p1 or later where this vulnerability is fixed.
- Avoid using the
--chrootoption with untrusted directories. - Apply vendor patches promptly (Ubuntu, SUSE, Amazon Linux advisories available).
CVE-2025-32462: Sudo Host-Based Command Execution on Unintended Machines
Summary:
CVE-2025-32462 is a high-severity local privilege escalation vulnerability in Sudo versions before 1.9.17p1. It arises when the sudoers configuration file specifies a host that is neither the current host nor the special keyword ALL. In this case, users listed in sudoers can execute commands on unintended machines, bypassing host restrictions.
Severity:
- CVSS v3 base score: ranges from 2.8 (low) to 6 (medium) depending on context
- Impact: Unauthorized command execution on unintended hosts, potential privilege escalation.
How it works:
- The sudoers file can restrict command execution based on the hostname using the
Host_AliasorRunas_Aliasdirectives. - If a host is specified that does not match the current machine or
ALL, Sudo incorrectly allows users to run commands as if they were on that host. - This can lead to executing privileged commands on machines that should be off-limits.
Sample scenario:
- A system administrator configures sudoers with a host restriction, e.g.,
Host_Alias WEB_SERVERS = web01but the current machine isweb02. - A user listed under that host alias can still run commands on
web01or effectively bypass restrictions. - This could allow unauthorized access or command execution on other hosts in a multi-host environment.
Mitigation:
- Update Sudo to version 1.9.17p1 or later where the issue is fixed.
- Review and correct sudoers files to avoid specifying hosts other than the current host or
ALLuntil patched. - Use
sudo visudoto safely edit sudoers and verify host restrictions.
Summary Table
| CVE ID | Vulnerability Type | Affected Versions | Impact | Exploitation Scenario | Fix Available |
|---|---|---|---|---|---|
| CVE-2025-32463 | Local privilege escalation via malicious /etc/nsswitch.conf with --chroot |
Sudo < 1.9.17p1 | Full root access | Attacker controls chroot dir with malicious config | Yes, update to 1.9.17p1 |
| CVE-2025-32462 | Host-based command execution bypass | Sudo < 1.9.17p1 | Execute commands on unintended hosts | Misconfigured sudoers with incorrect host specs | Yes, update to 1.9.17p1 |
Additional Notes
- Both vulnerabilities highlight the importance of keeping Sudo updated, especially in multi-user or multi-host environments.
- CVE-2025-32462 is a long-standing vulnerability (over 12 years old) recently rediscovered and confirmed on many Unix-like systems including Linux and macOS.
- CVE-2025-32463 is more severe due to its ability to gain root without any privileges or user interaction.
If you manage systems using Sudo, immediately update to version 1.9.17p1 or later and audit your sudoers configurations to mitigate these critical vulnerabilities.
Trust nothing, verify everything—that’s the foundation of Zero Trust. This modern approach drastically reduces attack surfaces. Implement Zero Trust with guidance from Cyberhatonline.