The U.S. cybersecurity agency CISA (Cybersecurity and Infrastructure Security Agency) issued a warning on Monday that a recently patched security flaw in the popular command-line utility Sudo is actively being exploited by attackers.
The Privilege Escalation Flaw
Sudo is a core utility on Linux and macOS that allows specific users to run commands with root or administrator privileges without needing the superuser's password. The vulnerability, tracked as CVE-2025-32463 (with a high CVSS score of 9.3), severely undermines this security model.
The flaw allows any user to execute commands using Sudo, even if they are not specifically configured in the sudoers file that dictates access. Successful exploitation is possible only on systems that support /etc/nsswitch.conf. An attacker needs to create a malicious /etc/nsswitch.conf file under a user-specified root directory and then use the chroot feature to trick Sudo into loading it, gaining unauthorized administrative access.
Patch and Warning
The bug was first introduced in Sudo version 1.9.14 in 2023. It was fixed in June with the release of Sudo version 1.9.17p1, which removed the option to run commands with a user-selected root directory, deprecating the vulnerable chroot feature.
CISA has now added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, confirming it is being used in real-world attacks. As mandated by its Binding Operational Directive (BOD) 22-01, CISA requires all U.S. federal agencies to resolve this vulnerability within the next three weeks. While this directive applies only to federal agencies, CISA strongly advises all organizations to check the KEV list and apply patches immediately.
CISA also updated its KEV catalog on Monday with other actively exploited vulnerabilities, including three new flaws in Cisco IOS and IOS XE, Fortra GoAnywhere MFT, and Libraesva Email Security Gateway, along with an older server-side request forgery (SSRF) flaw in Adminer (CVE-2021-21311).
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
