Cyber Resilience

CVE-2025-32463

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 30 June 2025

Published
30 June 2025
Modified
05 November 2025
KEV Added
29 September 2025
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.5735 98.2th percentile
Risk Priority 73 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-32463 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Canonical Ubuntu Linux. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 1.8% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-6 (Least Privilege) and SI-2 (Flaw Remediation).

Deeper analysis

Sudo before version 1.9.17p1 contains a flaw that permits local users to gain root privileges when the --chroot option is used. The utility loads /etc/nsswitch.conf from a directory under the attacker's control rather than the expected system location, allowing inclusion of attacker-supplied name-service modules.

An unprivileged local attacker can therefore supply a malicious nsswitch configuration inside a chroot environment and cause sudo to execute code with root rights, achieving full system compromise. The issue carries a CVSS score of 9.3 and is tracked under CWE-829 for inclusion of functionality from an untrusted control sphere.

Vendor advisories from Red Hat, Debian, Ubuntu, Gentoo, and Amazon Linux direct administrators to update to sudo 1.9.17p1 or later through their respective package repositories; no work-arounds are specified in the referenced notices.

The associated EPSS score stands at 0.5735, indicating substantial predicted exploitation likelihood.

EU & UK References

Vulnerability details

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.

CWE(s)
KEV Date Added
29 September 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

CVE-2025-32463 is a local privilege escalation vulnerability in sudo allowing unprivileged users to gain root access via the --chroot option by controlling /etc/nsswitch.conf, directly enabling T1068: Exploitation for Privilege Escalation.

Affected Assets

sudo project
sudo
1.9.17 · 1.9.14 — 1.9.17
canonical
ubuntu linux
22.04, 24.04, 24.10, 25.04
debian
debian linux
11.0, 12.0, 13.0
opensuse
leap
15.6
redhat
enterprise linux
10.0
suse
linux enterprise desktop
15
suse
linux enterprise real time
15.0
suse
linux enterprise server for sap
12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely application of the vendor-supplied Sudo 1.9.17p1 update that eliminates the untrusted nsswitch.conf load under --chroot.

prevent

Enforces least-privilege sudoers rules that can explicitly deny or scope the --chroot option, blocking the unauthenticated local root escalation path.

prevent

Access-enforcement mechanisms can restrict which users or sessions are permitted to invoke sudo with chroot, limiting the attack surface described in the CVE.

References