Critical Sudo Flaws (CVE-2025-32463, CVSS 9.3): Root Privilege Escalation Via –chroot & –host Options, PoC Available
Millions of Linux-based systems across the globe have been exposed to serious risk due to a newly discovered critical vulnerability in the sudo utility—one that enables attackers to gain superuser privileges and seize full control of affected servers. What makes this situation particularly grave is that the flaw impacts not only individual workstations but also mission-critical services, including servers running Ubuntu and Fedora.
Sudo is a fundamental tool that allows users to execute commands with administrative or superuser privileges on Linux systems. Within this utility, researchers from the Stratascale Cyber Research Unit uncovered two critical flaws. Alarmingly, the vulnerability is so trivially exploitable that any local user could achieve full system access in mere minutes.
The issue first emerged in sudo version 1.9.14, released in June 2023. A patch was issued only on June 30, 2025, in version 1.9.17p1. However, by then, the flaw had already propagated to millions of servers, many of which remain unpatched to this day.
Experts warn that exploiting the vulnerability requires neither prior configuration nor elevated privileges. The flaw resides in the rarely used chroot option of the sudo utility. This feature is designed to isolate processes within a specific directory, giving the illusion that the remainder of the file system is inaccessible. Yet due to the discovered flaws, attackers can “escape” this virtual confinement and gain unrestricted control over the entire system.
To execute the attack, an adversary simply needs to create a custom /etc/nsswitch.conf file within a user-defined directory designated as the chroot root. This file dictates how the system resolves user names, groups, hosts, and other resources. By manipulating its contents, the attacker can inject a malicious library that executes with root privileges.
The sudo maintainers have confirmed the issue and, in version 1.9.17p1, officially disabled the use of the chroot option. Nonetheless, countless systems remain vulnerable. One example was reported by heise.de, a German tech publication, which found that even freshly deployed Ubuntu virtual machines on major German cloud platforms were shipping with the vulnerable version of sudo, despite the patch being publicly available.
Stratascale researchers have released a proof-of-concept script demonstrating how an attacker can compile a malicious library, create a temporary directory, place the necessary files within it, and exploit the vulnerability to gain complete system access.
System administrators are strongly urged to immediately update their sudo packages to the latest version. There are no alternative mitigation strategies beyond applying the patch. It is also essential to audit system configurations to ensure that the chroot option is not in use. This involves reviewing all rules in the /etc/sudoers and /etc/sudoers.d files, and for LDAP-stored configurations, using specialized tools to extract and inspect them.
Given the ubiquity of Linux and the central role of Ubuntu and Fedora servers in global infrastructure, the implications of this vulnerability are potentially devastating.
