Critical Sudo Flaw (CVSS 9.3) Added to CISA KEV List—Patch Immediately to Prevent Root Access

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical flaw in the widely used Sudo utility—employed across Linux and Unix-like systems—to its Known Exploited Vulnerabilities (KEV) catalog. Tracked as CVE-2025-32463 and rated 9.3 on the CVSS scale, the vulnerability affects Sudo versions prior to 1.9.17p1. It enables a local user, via the -R (–chroot) option, to execute arbitrary commands with superuser privileges, even when such actions are not permitted by the sudoers configuration. The issue was first disclosed in late June 2025 by Stratascale researcher Rich Mirch.

Although the exact methods of exploitation and the actors behind the attacks remain undisclosed, CISA has confirmed instances of the flaw being weaponized in the wild. As a result, the agency has mandated that U.S. federal civilian agencies remediate the vulnerability no later than October 20, 2025, to reduce the risk of network compromise.

Beyond the Sudo flaw, CISA has also added four additional vulnerabilities to the KEV list:

• CVE-2021-21311 in Adminer, a server-side SSRF vulnerability that allows remote attackers to extract sensitive data. It was previously exploited by the group UNC2903 against AWS infrastructure, as reported by Google Mandiant in 2022.
• CVE-2025-20352 in Cisco IOS and IOS XE, a flaw in the SNMP subsystem that can lead to denial-of-service or remote code execution. Cisco confirmed active exploitation just last week.
• CVE-2025-10035 in Fortra GoAnywhere MFT, caused by unsafe deserialization. It allows attackers to inject crafted objects and execute commands when leveraging a forged licensing response. This activity was first reported by watchTowr Labs.
• CVE-2025-59689 in Libraesva Email Security Gateway, a vulnerability that permits command injection through compressed email attachments, with exploitation confirmed by the vendor itself.

CISA emphasizes that the inclusion of these flaws in the KEV catalog signals a high likelihood of attacks targeting organizations that fail to apply timely patches. Vendors and system administrators are strongly urged to remediate the listed vulnerabilities without delay, as they already pose a concrete and active threat.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy