The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that hackers are actively exploiting a critical vulnerability (CVE-2025-32463) in the sudo utility, which allows commands to be executed on Linux with root-level privileges.
To recap, this issue was discovered by experts at Stratascale in the summer of 2025. As the researchers reported at the time, CVE-2025-32463, which scored 9.3 on the CVSS scale, affects sudo up to version 1.9.17p1. The vulnerability allows local users to gain root access because an /etc/nsswitch.conf file from a user-controlled directory is used with the -R (chroot) option.
“The default sudo configuration is vulnerable,” the researchers explained. “Although the issue is related to sudo’s chroot function, exploiting it does not require any sudoers rules to be defined for a specific user. As a result, any local unprivileged user can escalate their privileges to root.”
In other words, an attacker can trick sudo into loading an arbitrary shared library by creating an /etc/nsswitch.conf configuration file in the user-specified root directory, which can lead to the execution of malicious commands with elevated privileges.
As sudo maintainer Todd C. Miller reported at the time, the chroot option will be completely removed from a future sudo release, and supporting a user-specified root directory in general is “error-prone.”
In July, Stratascale researchers published a PoC exploit for CVE-2025-32463, and other exploits also appeared publicly, likely created based on the experts’ technical report.
As CISA now warns, the CVE-2025-32463 vulnerability is already being used in real-world attacks, although the agency does not specify in which incidents or exactly how attackers are exploiting this bug.