CISA Warns of Linux Sudo Vulnerability Actively Exploited in Attacks

CISA has issued an urgent advisory regarding a critical vulnerability in the Linux and Unix sudo utility CVE-2025-32463 that is currently being exploited in the wild. 

This flaw allows local adversaries to bypass access controls and execute arbitrary commands as the root user, even without explicit sudoers privileges.

Sudo Chroot Bypass (CVE-2025-32463)

Identified as “Inclusion of Functionality from Untrusted Control Sphere,” CVE-2025-32463 stems from improper validation in the handling of the -R (–chroot) option. 

When invoked, sudo -R /path/to/chroot command, the utility fails to verify that the target directory is secure. Attackers can craft a malicious chroot environment under their control, often in a directory they own, to trick sudo into executing code with elevated privileges. 

This control sphere attack vector is catalogued under Related CWE: CWE-829 (Inclusion of Functionality from Untrusted Control Sphere).

Exploit scenarios include a local user creating a directory with manipulated symbolic links and configuration files.

Running sudo -R attacker_dir /bin/sh to spawn a root shell regardless of sudoers restrictions and potential integration into post-exploitation toolkits, enabling full system takeover.

While there are no confirmed reports of integration in known ransomware campaigns to date, the severity of an unprivileged local user gaining root access cannot be overstated. 

CISA has designated the vulnerability remediation Due Date of 2025-10-20. Systems left unpatched risk complete compromise of confidentiality, integrity, and availability.

Risk Factors	Details
Affected Products	Sudo versions prior to 1.9.14p2 on Linux/Unix
Impact	Local privilege escalation—attacker gains root shell
Exploit Prerequisites	Ability to create a malicious chroot directory
CVSS 3.1 Score	9.3  (Critical)

Mitigations

Organizations running any version of sudo shipping prior to patched releases must act immediately:

• Update to the latest sudo release as detailed in the Sudo project advisory.
• If patches cannot be deployed, disable the -R option by adding Defaults !use_chroot in /etc/sudoers.
• For cloud and managed services, follow binding operational directives to ensure secure configuration baselines.
• Scan systems for unusual chroot usage patterns and review logs for sudo invocations that reference untrusted directories.

CISA’s alert highlights the importance of vigilant patch management and ongoing monitoring. Administrators should verify compliance with vendor instructions or discontinue vulnerable implementations where mitigations are unavailable. 

Failure to address this vulnerability by the 2025-10-20 deadline may result in unauthorized root access, data breaches, or system-wide compromise.