Critical Vulnerability in sudo Under Active Exploitation

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning that hackers are actively exploiting a critical vulnerability (CVE-2025-32463) in the sudo utility, which allows commands to be executed with root-level privileges on Linux systems.

The flaw was first identified by researchers at Stratascale in the summer of 2025. CVE-2025-32463, which received a 9.3 score on the CVSS scale, affects sudo versions prior to 1.9.17p1. The vulnerability arises because the /etc/nsswitch.conf file from a user-controlled directory is used with the -R (chroot) option, enabling local users to escalate privileges.

“The sudo configuration is vulnerable by default,” the researchers explained. “Although the problem is related to the chroot function in sudo, exploiting it does not require any user-specific rules to be defined in sudoers. As a result, any local unprivileged user can escalate their privileges to root.”

In practical terms, an attacker can create a configuration file (/etc/nsswitch.conf) inside a user-specified root directory and trick sudo into loading an arbitrary shared library. This can lead to the execution of malicious commands with elevated privileges.

Sudo maintainer Todd C. Miller has stated that the chroot option will be completely removed in future releases, adding that user-specified root directory support is generally “prone to errors.”

Stratascale specialists published a proof-of-concept (PoC) exploit for CVE-2025-32463 in July. Since then, other exploits—likely derived from the technical report—have circulated publicly.

Now, CISA warns that the vulnerability is being used in real-world attacks. However, the agency has not disclosed specific incidents or explained how attackers are exploiting the flaw.