Urgent CISA Alert: Active Attacks Exploit Critical Linux Sudo Flaw
▼ Summary
– Hackers are actively exploiting CVE-2025-32463, a critical sudo vulnerability allowing root-level command execution on Linux systems.
– CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog and requires federal agencies to mitigate it by October 20.
– The flaw enables local attackers to escalate privileges using the -R option even without sudoers file authorization.
– CVE-2025-32463 affects sudo versions 1.9.14 through 1.9.17 and has a critical severity score of 9.3/10.
– Proof-of-concept exploits are publicly available, and organizations should prioritize patching using CISA’s catalog as guidance.
A critical security vulnerability within the Linux sudo utility is now under active exploitation by malicious actors, posing a severe risk to systems globally. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added this flaw, tracked as CVE-2025-32463, to its Known Exploited Vulnerabilities catalog, signaling urgent action is required. Federal agencies have been directed to implement official mitigations or discontinue sudo usage by October 20 to prevent potential breaches.
This vulnerability enables a local attacker to escalate their privileges to root level by exploiting the -R (–chroot) option, even if they are not authorized within the sudoers configuration file. Sudo, which stands for “superuser do,” is a fundamental system tool that permits administrators to grant specific users the ability to run commands with elevated permissions while keeping a detailed log of those activities.
Disclosed on June 30, the security flaw impacts sudo versions 1.9.14 through 1.9.17 and has been assigned a critical severity rating of 9.3 out of 10. According to the security advisory, an attacker can leverage the -R option to execute arbitrary commands as root without being listed in the sudoers file. Rich Mirch, the researcher at Stratascale who identified the vulnerability, emphasized that the issue affects the default sudo configuration and can be exploited even without any predefined user rules.
Mirch published a proof-of-concept exploit for CVE-2025-32463 on July 4. The vulnerability has been present since the release of version 1.9.14 in June 2023. Since July 1, additional exploits have appeared in public forums, likely developed from the initial technical documentation.
Although CISA has confirmed that real-world attacks are actively leveraging this sudo vulnerability, the agency has not provided specific details about the nature of these incidents. Organizations across the globe are strongly encouraged to consult the CISA Known Exploited Vulnerabilities catalog to prioritize patching efforts and deploy necessary security measures promptly.
(Source: Bleeping Computer)
