CISA has issued a high-priority alert for CVE-2025-32463, a critical vulnerability in Linux’s sudo function that attackers are actively exploiting. This vulnerability allows a regular user on a system to achieve complete administrative (root) access, putting critical infrastructure at risk. Although the flaw only affects a subset of sudo versions (1.9.14–1.9.17), but is frequently used in many businesses. CISA requires remediation for federal agencies by October 20, 2025, and all enterprises are recommended to act quickly by applying the available patch and evaluating systems for indicators of abuse.

Technical Description

CVE-2025-32463 is a local privilege escalation vulnerability found in sudo 1.9.14-1.9.17 that allows unprivileged users to run arbitrary code as root via the –chroot (-R) flag. The exploit requires creating a malicious .conf and libnss_*.so inside a user-controlled chroot, which causes NSS to load attacker-controlled shared objects during sudoers/NSS evaluation. This happens before privileges are eliminated, allowing complete root access outside the chroot. The vulnerability is actively exploited in the wild .

‍

‍

As the Vulnerability is actively exploited in the wild, the flaw is now listed in CISA’s KEV catalog, and patching to sudo 1.9.17p1 or later is strongly recommended.

‍

Exploitation Demonstration:

• Vulnerable sudo calls chroot() while still doing sudoers evaluation and NSS lookups, resulting in NSS resolution in an attacker-controlled root directory.
• An attacker using a local account provides a chroot tree containing a forged /etc/nsswitch.conf and a malicious libnss_*.so that implements the NSS interface.
• During name-service resolution, NSS loads the attacker-provided libnss_*.so (via dlopen), which operates in sudo’s privileged context.
• Because the module executes with elevated privileges before sudo completely removes its context, the attacker can execute arbitrary code as root outside the chroot.
• Indicators include unusual CHROOT= sudo syslog entries, user-owned /etc/nsswitch.conf, and libnss_*.So inside chroot trees, and unexpected root-owned process/file modifications after chrooted sudo calls.

‍

Platform Impact Differences

• Linux: High vulnerability on distributions that use /etc/nsswitch.conf to implement NSS and provide impacted sudo versions (1.9.14–1.9.17). The method that distributions package sudo and set up NSS affects behavior.
• Other Unix-like systems: These systems are less likely to be impacted if they don’t support /etc/nsswitch.conf or don’t use glibc-style NSS. Legacy sudo (≤1.8.32) is not vulnerable because it does not have the chroot feature.
• Container environments: The danger surface grows where chroot control and shared object loading are allowed; containers that enable unprivileged users to mount NSS-related files or invoke sudo with –chroot could be similarly abused.

‍

‍

Ease of Exploitation:

An attacker with local access can exploit CVE-2025-32463 rather easily if they have a local unprivileged account, are capable to use sudo with -R/–chroot (or a sudoers CHROOT=/runchroot= rule), and have NSS installed via /etc/nsswitch.conf. The vulnerability’s inclusion in CISA’s KEV catalog and publicly available proofs of concept have significantly reduced the barrier to weaponization, even though the attack is not remotely exploitable by default. An adversary can create a chroot with malicious libnss_*.so and a crafted nsswitch.conf to trigger dlopen() during sudo’s NSS lookups and gain root. Unpatched, multi-user, or containerized setups are still quite vulnerable, however hardening (such as deleting chroot rules, patched sudo, or strong loader/AppArmor/SELinux restrictions) makes things more difficult.

Conclusion:

CVE-2025-32463 is a high-risk local privilege escalation that transforms local access into an immediate full-system compromise on susceptible systems. The combination of a widely used utility (sudo), a chroot-related design flaw, and public proof-of-concepts necessitates immediate remediation: upgrade to the fixed sudo release (1.9.17p1 or later), remove or revoke chroot-related sudo rules, look for CHROOT= entries in logs, and assume compromise for any host with suspicious chroot activity. All enterprises should prioritize these procedures as vital security measures.

Impact

Exploitation provides attackers immediate root capabilities, allowing for full system compromise: they can read or exfiltrate sensitive data, edit or destroy files and programs, install persistent backdoors, and disable or tamper with logging and detection systems. This compromises confidentiality, integrity, and availability across impacted hosts, allowing for lateral movement to other systems or services. For production, multi-tenant, or high-value environments, the business impact can range from service disruptions and regulatory exposure to long-term breach recovery expenses and reputational harm.

‍

IOC and Context Details

Recommended Actions

• Upgrade sudo to version 1.9.17p1 or later on all affected systems immediately.
• Remove or disable any sudoers rules that allow the use of the chroot (-R/–chroot) option.
• Search logs for CHROOT= entries and unexpected -R sudo invocations to detect possible exploitation.
• Limit sudo access by applying least privilege principles and restrict chroot-capable commands to trusted users only.
• Implement strong library-loading protections and enforce SELinux or AppArmor policies to prevent unauthorized module loading.
• If suspicious activity is detected, isolate the affected host and initiate a full incident response and system rebuild.

‍

References

https://www.bleepingcomputer.com/news/security/cisa-warns-of-critical-linux-sudo-flaw-exploited-in-attacks/