The CISA has warned that a local privilege escalation vulnerability in Sudo (CVE-2025-32463, CVSS 9.3) is being actively exploited in the wild. The flaw, introduced in Sudo version 1.9.14 in 2023, allows any local user to execute commands with root privileges, even without being in the sudoers file. Exploitation requires tricking Sudo into loading a malicious /etc/nsswitch.conf file via the chroot feature, which has since been deprecated. The issue was patched in June with Sudo version 1.9.17p1, but proof-of-concept exploits have circulated since July, and CISA has mandated remediation within three weeks for federal agencies under BOD 22-01.
John McShane, Principal Product Manager for AI & Data Science, Cobalt:
“Privilege escalation flaws like this sudo chroot issue reinforce a recurring pattern in security: when high privilege software accepts untrusted input or environmental control without guardrails, the downstream impact can be massive. Remember last year’s CrowdStrike Falcon outage (CVE-2025-1146)? A malformed update triggered system crashes at scale across airlines, hospitals, and critical infrastructure. In both cases the root failure was trusted high privilege logic failing in edge scenarios, which is exactly why testing must include more than happy-path unit tests. Fuzzing that targets config and path resolution logic, focused penetration testing that simulates hostile environments, and unit and integration tests all could have caught this earlier.”
Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic:
“Security and defense from attack needs to be a multilayered operation. Compromising the network perimeter and in this case local access to a server and then taking over a benign local account dramatically increases the threat to the organization. When a vulnerability then allows any compromised local account to be escalated to root privileges the threat becomes catastrophic. In most organizations there are no further walls between the attacker and his targets. Layering in an additional line of defense is critical to stopping such an attack. Adding continuous observability into who is accessing what resources, and how privilege is being escalated shines the light into the dark corners of today’s vulnerabilities. Leveraging near real-time controls and remediation can prevent the escalated account from operating outside their original limited access. Strong identity governance combined with timely patching ensures that when privilege escalation attempts occur, they are detected, prevented, and contained before causing lasting harm.”
“This vulnerability illustrates how access and identity intersect with system-level controls. Even without being in the sudoers file, an attacker could gain full privileges, bypassing established access policies. That underlines the importance of continuous observability into who is accessing what resources, and how privilege is being escalated. Without that visibility, organizations are blind to the subtle shifts that transform a minor intrusion into a full compromise. Strong identity governance combined with timely patching ensures that when privilege escalation attempts occur, they are detected, prevented, and contained before causing lasting harm.”
This is another one of those today problems that affected organizations need to deal with. And it needs to be dealt with ASAP. So it’s once again it’s time to patch all the things.
Related
This entry was posted on September 30, 2025 at 3:10 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
The CISA warns of a Sudo Privilege Escalation Flaw
The CISA has warned that a local privilege escalation vulnerability in Sudo (CVE-2025-32463, CVSS 9.3) is being actively exploited in the wild. The flaw, introduced in Sudo version 1.9.14 in 2023, allows any local user to execute commands with root privileges, even without being in the sudoers file. Exploitation requires tricking Sudo into loading a malicious /etc/nsswitch.conf file via the chroot feature, which has since been deprecated. The issue was patched in June with Sudo version 1.9.17p1, but proof-of-concept exploits have circulated since July, and CISA has mandated remediation within three weeks for federal agencies under BOD 22-01.
John McShane, Principal Product Manager for AI & Data Science, Cobalt:
“Privilege escalation flaws like this sudo chroot issue reinforce a recurring pattern in security: when high privilege software accepts untrusted input or environmental control without guardrails, the downstream impact can be massive. Remember last year’s CrowdStrike Falcon outage (CVE-2025-1146)? A malformed update triggered system crashes at scale across airlines, hospitals, and critical infrastructure. In both cases the root failure was trusted high privilege logic failing in edge scenarios, which is exactly why testing must include more than happy-path unit tests. Fuzzing that targets config and path resolution logic, focused penetration testing that simulates hostile environments, and unit and integration tests all could have caught this earlier.”
Wade Ellery, Chief Evangelist and IAM Strategy Officer, Radiant Logic:
“Security and defense from attack needs to be a multilayered operation. Compromising the network perimeter and in this case local access to a server and then taking over a benign local account dramatically increases the threat to the organization. When a vulnerability then allows any compromised local account to be escalated to root privileges the threat becomes catastrophic. In most organizations there are no further walls between the attacker and his targets. Layering in an additional line of defense is critical to stopping such an attack. Adding continuous observability into who is accessing what resources, and how privilege is being escalated shines the light into the dark corners of today’s vulnerabilities. Leveraging near real-time controls and remediation can prevent the escalated account from operating outside their original limited access. Strong identity governance combined with timely patching ensures that when privilege escalation attempts occur, they are detected, prevented, and contained before causing lasting harm.”
“This vulnerability illustrates how access and identity intersect with system-level controls. Even without being in the sudoers file, an attacker could gain full privileges, bypassing established access policies. That underlines the importance of continuous observability into who is accessing what resources, and how privilege is being escalated. Without that visibility, organizations are blind to the subtle shifts that transform a minor intrusion into a full compromise. Strong identity governance combined with timely patching ensures that when privilege escalation attempts occur, they are detected, prevented, and contained before causing lasting harm.”
This is another one of those today problems that affected organizations need to deal with. And it needs to be dealt with ASAP. So it’s once again it’s time to patch all the things.
Share this:
Like this:
Related
This entry was posted on September 30, 2025 at 3:10 pm and is filed under Commentary with tags CISA. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.