Blog Trainings Request a Demo Login
Get Your Free Report
Start for Free
SOCRadar® Cyber Intelligence Inc. | CVE-2025-32463: Sudo Privilege Escalation Vulnerability Exploited, CISA Warns
Oct 01, 2025
4 Mins Read
Dec 25, 2025
Moon

CVE-2025-32463: Sudo Privilege Escalation Vulnerability Exploited, CISA Warns

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attackers are actively exploiting CVE-2025-32463, a severe flaw in the widely used sudo utility on Linux and other Unix-like systems. This vulnerability lets ordinary local accounts escalate privileges to root by abusing the rarely used chroot option on systems that support /etc/nsswitch.conf.

With the flaw now included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, system administrators must act quickly to secure their environments.

What Is CVE-2025-32463?

CVE-2025-32463 (CVSS 7.8) is a local privilege escalation vulnerability, introduced in sudo 1.9.14 and present through 1.9.17.

The issue allows a local user to run arbitrary commands as root by using sudo’s -R / –chroot option to cause sudo to load attacker-controlled NSS modules from inside a user-supplied chroot environment.

Details of CVE-2025-32463 (SOCRadar Vulnerability Intelligence)

Details of CVE-2025-32463 (SOCRadar Vulnerability Intelligence)

The vulnerability was publicly disclosed on June 30, 2025, and Proof-of-Concept (PoC) exploits were publicly available since July. Moreover, CISA has added the CVE to its Known Exploited Vulnerabilities catalog, reporting evidence of in-the-wild use.

How the Vulnerability Works

  • The vulnerable code allowed chroot() to be performed while sudo was still evaluating sudoers and performing NSS (Name Service Switch) lookups.
  • If the target system supports /etc/nsswitch.conf, an attacker can place an /etc/nsswitch.conf and a malicious libnss_*.so inside a user-controlled chroot tree.
  • NSS then attempts to load a module name derived from the nsswitch entry (e.g., libnss_woot.so), which can be a shared object the attacker supplies – leading to arbitrary code execution as root.

Which Systems Are Affected and How Can You Detect Exploitation?

  • Affected versions: sudo 1.9.14 to 1.9.17 (inclusive). Legacy sudo versions 1.8.32 and prior do not include the chroot feature and are not vulnerable.
  • Where it matters: systems that implement NSS via /etc/nsswitch.conf (common on many Linux distributions).
  • Logs: commands that use chroot are logged with a CHROOT= string in syslog – search for that as an indicator of use.

Act Now: CISA’s KEV Catalog Listing and Federal Deadlines

CISA added CVE-2025-32463 to its Known Exploited Vulnerabilities (KEV) catalog after confirming active exploitation. Federal Civilian Executive Branch (FCEB) agencies must apply mitigations by October 20, 2025 under Binding Operational Directive 22-01.

While this deadline applies to U.S. federal agencies, all organizations should treat the advisory as urgent guidance.

Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2025-32463) listed on CISA’s Known Exploited Vulnerabilities Catalog

Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability (CVE-2025-32463) listed on CISA’s Known Exploited Vulnerabilities Catalog

With SOCRadar, organizations gain the insight and coverage needed to respond faster and reduce exposure to vulnerability threats.

The SOCRadar Cyber Threat Intelligence module delivers actionable vulnerability intelligence, helping security teams prioritize patching based on real-world exploitation. It also integrates CISA’s Known Exploited Vulnerabilities (KEV) checks so you can quickly verify if newly disclosed flaws are being weaponized.

In addition, the Attack Surface Management (ASM) module continuously monitors your exposed assets and detects vulnerable technologies, giving you visibility into risks before adversaries exploit them.

SOCRadar’s ASM module, Company Vulnerabilities

SOCRadar’s ASM module, Company Vulnerabilities

How Can You Mitigate CVE-2025-32463?

  • Patch now. Upgrade to sudo 1.9.17p1 or later (the definitive fix). This removes the risky behavior and deprecates the chroot feature.
  • Search for chroot usage. Inspect /etc/sudoers, files under /etc/sudoers.d, and any LDAP-stored rules for CHROOT= or runchroot= entries (a runchroot value of * allows users to supply the root path).
  • Hunt for indicators. Grep syslog for CHROOT= and review sudo command logs to find any unexpected chroot invocations.
  • Avoid using the chroot option. The chroot feature is deprecated and will be removed in a future release; remove chroot-based rules where possible.
  • Assume compromise if suspicious activity is found. Because the vulnerability yields a root shell outside the chroot, treat confirmed exploitation as a full compromise and follow incident response playbooks.
  • See the official Sudo advisory and the original researcher write-up at Stratascale for full details.

Table Of Content
Related Articles
SOCRadar® Cyber Intelligence Inc. | Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Ivanti Sentry’s CVE-2026-10520 Enables Root RCE
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
June 2026 Patch Tuesday: 206 Vulnerabilities, Three Zero-Days Including HTTP/2 Bomb Flaw (CVE-2026-49160)
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
SAP Security Patch Day June 2026: Critical CVE-2026-44748 SAML Flaw Could Allow Full Authentication Bypass
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | What Do You Need to Know About Claude Fable 5?
What Do You Need to Know About Claude Fable 5?
Jun 10, 2026
SOCRadar® Cyber Intelligence Inc. | CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
CVE-2026-11645: Exploited Chrome V8 Bug Enables In-Browser Code Execution
Jun 09, 2026
Free Dark Web Report
Is your Domain Exposed? Find Out.