CVE-2025-32463
Published: 30 June 2025
Summary
CVE-2025-32463 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).
Deeper analysis
Sudo before version 1.9.17p1 contains a flaw that permits local users to gain root privileges when the --chroot option is used. The utility loads /etc/nsswitch.conf from a directory under the attacker's control rather than the expected system location, allowing inclusion of attacker-supplied name-service modules.
An unprivileged local attacker can therefore supply a malicious nsswitch configuration inside a chroot environment and cause sudo to execute code with root rights, achieving full system compromise. The issue carries a CVSS score of 9.3 and is tracked under CWE-829 for inclusion of functionality from an untrusted control sphere.
Vendor advisories from Red Hat, Debian, Ubuntu, Gentoo, and Amazon Linux direct administrators to update to sudo 1.9.17p1 or later through their respective package repositories; no work-arounds are specified in the referenced notices.
The associated EPSS score stands at 0.5735, indicating substantial predicted exploitation likelihood.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-19673
Vulnerability details
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
- CWE(s)
- KEV Date Added
- 29 September 2025
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2025-32463 is a local privilege escalation vulnerability in sudo allowing unprivileged users to gain root access via the --chroot option by controlling /etc/nsswitch.conf, directly enabling T1068: Exploitation for Privilege Escalation.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely application of the vendor-supplied Sudo 1.9.17p1 update that eliminates the untrusted nsswitch.conf load under --chroot.
Enforces least-privilege sudoers rules that can explicitly deny or scope the --chroot option, blocking the unauthenticated local root escalation path.
Access-enforcement mechanisms can restrict which users or sessions are permitted to invoke sudo with chroot, limiting the attack surface described in the CVE.