CVE-2025-32463 - PatchNow

📋 Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-06-30

Added to CISA KEV: 2025-09-29 91 DAYS BETWEEN CVE AND KEV

🎯 Recommendations:

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review logs, check for unauthorized access, verify system integrity
Update Sudo to version 1.9.17p1 or later immediately on all Linux/Unix systems
Review sudo logs (/var/log/secure, /var/log/auth.log) for suspicious --chroot usage
Audit user accounts and access controls to prevent initial compromise
Monitor for privilege escalation activities and unauthorized root access
PATCH PRIORITY: HIGH - While not directly internet-exploitable, this is a post-compromise escalation vector being actively exploited

🔍 Web Intelligence (Kagi · 2026-06-04)

CVE-2025-32463 is a local privilege escalation vulnerability affecting the `sudo` utility, which allows an unprivileged local user to gain root access ^[2] ^[3].

Vulnerability Overview

Impact: Successful exploitation allows a local user to escalate their privileges to root ^[1].
Attack Method: The vulnerability exists because `sudo` uses the `/etc/nsswitch.conf` file from a user-controlled directory when the `--chroot` (or `-R`) option is invoked ^[2]. By manipulating this configuration, an attacker can influence the execution environment to achieve root privileges ^[4].
Requirements: This is a local vulnerability, meaning an attacker must already have local access to the system to exploit it ^[1]. It does not require specific `sudo` rules to be defined for the user ^[3].

Exploitation and Threat Landscape

Active Exploitation: There is no widely reported evidence of this vulnerability being actively exploited in the wild by major threat actors in ransomware or targeted campaigns as of mid-2026.
Proof-of-Concept (PoC): Publicly available proof-of-concept code and exploit scripts have been shared on platforms like GitHub (e.g., by researchers and security enthusiasts) to demonstrate the flaw ^[1] ^[3].

Affected Versions and Mitigation

Affected Versions: The vulnerability affects `sudo` versions 1.9.14 through 1.9.17 ^[3].
Patch Status: The issue was addressed in `sudo` version 1.9.17p1 ^[2]. Users are advised to update to this version or later to mitigate the risk.

Sources

kh4sh3i/CVE-2025-32463: Local Privilege Escalation to ...
CVE-2025-32463 is a local privilege escalation vulnerability in the Sudo binary. The flaw allows a local user to escalate privileges to root under specific ... CVE-2025-32463 is a local privilege escalation vulnerability in the Sudo binary. The flaw allows a local user to escalate privileges to root…
CVE-2025-32463 Detail - NVD
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
GitHub - pevinkumar10/CVE-2025-32463: Exploit for Local Privilege ...
The Stratascale Cyber Research Unit (CRU) discovered two local privilege escalation vulnerabilities in Sudo, one of which is CVE-2025-32463. This vulnerability affects Sudo versions 1.9.14 through 1.9.17, and allows unprivileged local users to gain root access by abusing the --chroot (-R) option, ev…
New Sudo Vulnerabilities: CVE-2025-32462 ...
It allows attackers to bypass host checks and execute commands as root. The second, CVE-2025-32463, dubbed a “chroot to root” bug, carries a ...