Organizations Warned of Exploited Sudo Vulnerability
The vulnerability could allow local, low-privileged attackers to execute commands with root privileges, leading to full system compromise.
The US cybersecurity agency CISA on Monday (September 29, 2025) warned that a recently patched local privilege escalation vulnerability in Sudo has been exploited in the wild.
A command-line utility for Linux and macOS, Sudo enables specified users to execute commands with root or administrator privileges without having to log in as superuser. A Windows implementation of the Sudo concept also exists, but it is not a fork or port of the Unix project.
Because of the elevated temporary access that Sudo provides on Linux and macOS, only users configured in a sudoers file are permitted to execute commands via Sudo.
The security defect flagged as exploited by CISA, tracked as CVE-2025-32463 (CVSS score of 9.3), allows any user to execute commands using Sudo, even if they are not configured in the sudoers file.
Successful exploitation of the bug is only possible on systems that support /etc/nsswitch.conf, as it requires for the attacker to create an /etc/nsswitch.conf file under a user-specified root directory and then use the chroot feature to trick Sudo into loading it.
The bug was introduced in 2023 in Sudo version 1.9.14 and was resolved in June with the release of Sudo version 1.9.17p1, which deprecated the chroot feature and removed the option to run commands with a user-selected root directory.
