Critical Local Privilege Escalation Vulnerability in Sudo Under Active Exploitation (CVE-2025-32463)
October 13th, 2025
Critical
Our Cyber Threat Intelligence Unit is monitoring active exploitation of a critical local privilege-escalation vulnerability in the widely deployed sudo utility, identified as CVE-2025-32463. The vulnerability, which affects sudo versions 1.9.14 through 1.9.17 (inclusive), stems from improper handling of the --chroot (-R) option. CISA has added this CVE to its Known Exploited Vulnerabilities (KEV) catalog following confirmed in-the-wild attacks. Systems running vulnerable builds that include the chroot feature are exposed to complete local compromise. Versions without chroot support (legacy ≤ 1.8.32) are not affected. Upgrading to sudo 1.9.17p1 or later is the only reliable mitigation; major vendors have shipped updates, and no practical workarounds are recommended.
Technical Details
Attack Type: Local privilege escalation to root.
Severity: Critical (CVSS 9.3).
CVE ID: CVE-2025-32463.
Delivery Method: Local execution of sudo --chroot <path> or sudo -R <path> by an unprivileged user.
Root Cause: When invoked with --chroot, affected sudo versions may read /etc/nsswitch.conf from the attacker-supplied chroot path.
Technique: By manipulating this configuration, a local user can force sudo to load attacker-controlled libraries during NSS lookups, resulting in arbitrary code execution as root, even if the account is not listed in sudoers.
Affected Versions: Sudo versions 1.9.14 to 1.9.17 inclusive are vulnerable. Builds without chroot functionality (≤ 1.8.32) are not vulnerable.
Impact
Exploitation allows an unprivileged local user to execute arbitrary commands as root, granting complete control over the affected host.
Environments where multiple users share compute resources, such as build servers, CI/CD runners, developer workstations, and jump hosts, are particularly at risk.
Once root access is obtained, an attacker can:
Deploy persistent backdoors or kernel modules.
Exfiltrate credentials and SSH keys.
Alter logs, binaries, or security tooling.
Move laterally to connected systems.
Treat confirmed exploitation as a complete system compromise requiring isolation and rebuild.
Detection Method
Process and command-line review: Search shell history, auditd, or EDR telemetry for invocations of sudo -R or sudo --chroot by non-admin users.
Sudo logs: If JSON or I/O logging is enabled, filter for runchroot / chroot (naming varies by config) fields or entries indicating use of the --chroot option.
Behavioral indicators:
Sudden privilege escalation or new root-owned processes spawned from unprivileged accounts.
Unexpected edits to /etc/sudoers or addition of new root accounts / SSH keys.
Library-loading anomalies from the sudo-specified chroot path (e.g., unexpected libnss_*.so under user-writable or ephemeral dirs like /tmp, build/test roots, mounted images).
Correlate any such events with contemporaneous process creation or NSS lookup activity.
Indicators of Compromise
Type | Indicator | Description |
Command Pattern | sudo -R <path> or sudo --chroot <path> | Unexpected use by non-admin or CI users should be investigated. |
Log Artifact | runchroot / chroot field in sudo JSON logs
| Presence indicates use of chroot functionality; validate the path and user context. |
Recommendations
Patch immediately: Upgrade to sudo 1.9.17p1 or newer (some vendors ship 1.9.17p2 and bundle fixes for related issues such as CVE-2025-32462).
Restrict local access: Limit interactive logins and shared accounts on sensitive hosts.
Review sudoers policies: Remove unnecessary sudo privileges and audit any use of –chroot if feasible.
Hunt environment-wide: Search for chroot-related invocations and analyze any associated library loads.
Incident response:
Isolate confirmed-compromised hosts.
Capture memory, logs, and /etc changes for forensic review.
Rotate credentials and rebuild affected systems.
Stakeholder communication: Coordinate with internal IR and follow CISA/advisory reporting guidelines.
Conclusion
CVE-2025-32463 is a critical, actively exploited privilege-escalation vulnerability in sudo that allows root compromise without sudoers authorization. Successful exploitation grants full local compromise, allowing attackers to establish persistence, tamper with logs, or pivot across connected systems. Exploitation of this vulnerability demonstrates adversaries’ continued focus on linking local privilege escalation with remote access to achieve complete control of an environment. We urge organizations to treat hosts running vulnerable versions as high-risk and initiate targeted hunts for signs of exploitation. Immediate patching, environment-wide hunting for --chroot usage, and full forensic containment are imperative to prevent lateral movement and post-compromise impact.