A newly disclosed vulnerability in the widely used Sudo utility, tracked as CVE-2025-32462, has exposed Linux and Unix-like systems to a local privilege escalation (LPE) risk, potentially allowing attackers to gain unauthorized root access.
The flaw, present in Sudo’s codebase for over 12 years, was discovered by Rich Mirch of the Stratascale Cyber Research Unit and affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.
Sudo is a fundamental command-line tool that enables authorized users to execute commands with elevated privileges, typically as the root user, without requiring full root login.
System administrators rely on Sudo to enforce the principle of least privilege and maintain an audit trail of administrative actions.
Technical Details: Host Option Exploitation
The vulnerability centers on Sudo’s host option (-h or --host), which was originally intended for use only with the list option (-l or --listto display a user’s sudo privileges for a host other than the current one.
Due to a bug, this restriction was not enforced, allowing the host option to be used with other Sudo operations, such as running commands or editing files with sudoedit.
This flaw becomes exploitable in environments where Sudo rules in the sudoers file are restricted to specific hostnames or patterns using the Host or Host_Alias directives.
By specifying the host option with a permitted remote host, a local attacker can bypass host-based restrictions and execute commands as root on the local machine, without needing a custom exploit.
Example of Vulnerable Configuration:
bashHost_Alias DEV = dev.test.local
Host_Alias PROD = prod.test.local
lowpriv DEV = (root) ALL
lowpriv !PROD = (root) ALL
In this scenario, a user denied root access on the production server could escalate privileges locally by invoking:
bashsudo -h dev.test.local -i
This command tricks Sudo into applying the development server’s rules to the local system, granting unintended root access.
Remediation and Recommendations
The vulnerability has been addressed in Sudo version 1.9.17p1 and corresponding distribution patches released in June 2025.
Administrators are strongly advised to:
- Update Sudo to version 1.9.17p1 or later on all systems.
- Review the sudoers files for any use of
HostorHost_Aliasdirectives and audit all Sudo rules in/etc/sudoersand/etc/sudoers.d. - Note that no workaround exists; patching is the only mitigation.
Major Linux distributions, including Ubuntu, Debian, SUSE, and Red Hat, have released security updates to address this vulnerability.
Given Sudo’s ubiquity, prompt action is critical to prevent unauthorized privilege escalation on affected systems.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=The flaw, present in Sudo’s codebase for over 12 years, was discovered by Rich Mirch of the Stratascale Cyber Research Unit and affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.){kind=link}