Critical vulnerability CVE-2025-32463 in sudo jeopardizes Linux systems

Posted on 2025-07-02 by guenni

[German]The sudo command in Linux allows local privilege escalation due to a vulnerability CVE-2025-32463 classified as critical. The background is an improper handling of /etc/nsswitch.conf, so that root privileges are obtained.

Advertising

I came across the topic once through a comment by German blog reader Norddeutsch in my other IT blog, as well as through a tweet. I'm dragging the details here into the post, as I clean up the discussion area cyclically. Norddeutsch wrote;

Linux user expects urgent updates from the sudo package. Priority high, remote possible. This for various distributions and branches.

Due to a bug there is no restriction when using "-host, -h". This option is intended by design for "remote code execution". It enables privilege escalation and thus unauthorized execution by exploiting it on a remote host.

There is also an error in the "change root" environment with the "-chroot, -R" parameter. This allows arbitrary code execution and undermines correct limitations in the sudoers file. The sudoers file represents essential "policies" under Linux, e.g. it regulates the rights for system users and the permission to execute sudo.

I have not yet read any PoC, abuse or further information. Mitre has no detailed information and listed "reserved" in the posting for CVE-2025-32462 and CVE-2025-32463.

See also manual page "man sudo", "man sudoers" or the links sudosudoers.

Ubuntu names 25.04 plucky, 24.10 oracular, sowie die gesamte LTS-Reihe: 24.04 noble, 22.04 jammy, 20.04 focal, 18.04 bionic, 16.04 xenial, 14.04 trusty as critical form CVE-2025-32462. For CVE-2025-32463 "nonly" 25.04 plucky, 24.10 oracular and 24.04 LTS noble.

The Security Tracker at Debian announces version 1.9.13p3-1+deb12u2 for Bookworm and version 1.9.5p2-3+deb11u2 for Bullseye. These are not yet available on all security mirrors.

…in my opinion, SSH should not be connected directly to the network.

In the meantime, there are already some details on the linked CVEs. More details are given in the following tweet.

Sudo CVE-2025-32463

Affected are sudo versions 1.9.14 to 1.9.17, and the tweet refers to this OpenWall description, according to which the bug in sudo 1.9.17p1 should be fixed. Security researchers from stratascale have found the vulnerability and documented it in this blog post as of June 30, 2025. Major Linux distributions are providing updates to fix the vulnerability.

Advertising
This entry was posted in Linux, Security, Update and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).