9.3 CVE-2025-32463

CISA Kev Catalog RCE LCI RCI Local Execution Code Exploit

Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
https://nvd.nist.gov/vuln/detail/CVE-2025-32463

References

134c704f-9b21-4f2e-91b3-4a467353bcc0

https://iototsecnews.jp/2025/07/01/linux-sudo-chroot-vulnerability-enables-ha... Third Party Advisory

cve@mitre.org Exploit

https://access.redhat.com/security/cve/cve-2025-32463 Third Party Advisory
https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32463 Issue Tracking Third Party Advisory
https://explore.alas.aws.amazon.com/CVE-2025-32463.html Third Party Advisory
https://security-tracker.debian.org/tracker/CVE-2025-32463 Third Party Advisory
https://ubuntu.com/security/notices/USN-7604-1 Third Party Advisory
https://www.openwall.com/lists/oss-security/2025/06/30/3 Third Party Advisory
https://www.secpod.com/blog/sudo-lpe-vulnerabilities-resolved-what-you-need-t... Exploit Third Party Advisory
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot Exploit Third Party Advisory
https://www.sudo.ws/releases/changelog/ Release Notes
https://www.sudo.ws/security/advisories/ Vendor Advisory
https://www.sudo.ws/security/advisories/chroot_bug/ Vendor Advisory
https://www.suse.com/security/cve/CVE-2025-32463.html Third Party Advisory
https://www.suse.com/support/update/announcement/2025/suse-su-202502177-1/ Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-32463-detect-sudo-vulnerability Third Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-32463-mitigate-sudo-vulnerabi... Mitigation Third Party Advisory

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:sudo_project:sudo::::::::	>= 1.9.14	< 1.9.17
cpe:2.3:a:sudo_project:sudo:1.9.17:-::::::
Configuration 2
cpe:2.3:o:canonical:ubuntu_linux:22.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:24.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:24.10::::-:::
cpe:2.3:o:canonical:ubuntu_linux:25.04::::-:::
cpe:2.3:o:debian:debian_linux:11.0:::::::*
cpe:2.3:o:debian:debian_linux:12.0:::::::*
cpe:2.3:o:debian:debian_linux:13.0:::::::*
cpe:2.3:o:opensuse:leap:15.6:::::::*
cpe:2.3:o:redhat:enterprise_linux:10.0:::::::*
cpe:2.3:o:suse:linux_enterprise_desktop:15:sp6::::::
cpe:2.3:o:suse:linux_enterprise_desktop:15:sp7::::::
cpe:2.3:o:suse:linux_enterprise_real_time:15.0:sp2::::::
cpe:2.3:o:suse:linux_enterprise_real_time:15.0:sp6::::::
cpe:2.3:o:suse:linux_enterprise_real_time:15.0:sp7::::::
cpe:2.3:o:suse:linux_enterprise_server_for_sap:12:sp6::::::
cpe:2.3:o:suse:linux_enterprise_server_for_sap:12:sp7::::::

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
https://github.com/pr0v3rbs/CVE-2025-32463_chwoot
https://github.com/K1tt3h/CVE-2025-32463-POC
https://github.com/SysMancer/CVE-2025-32463
https://github.com/kh4sh3i/CVE-2025-32463
https://github.com/pevinkumar10/CVE-2025-32463
https://github.com/zhaduchanhzz/CVE-2025-32463_POC
https://github.com/robbert1978/CVE-2025-32463_POC
https://github.com/Mikivirus0/sudoinjection
https://github.com/nflatrea/CVE-2025-32463
https://github.com/ill-deed/CVE-2025-32463_illdeed
https://github.com/zinzloun/CVE-2025-32463
https://github.com/junxian428/CVE-2025-32463
https://github.com/FreeDurok/CVE-2025-32463-PoC
https://github.com/lowercasenumbers/CVE-2025-32463_sudo_chroot
https://github.com/abrewer251/CVE-2025-32463_Sudo_PoC
https://github.com/MGunturG/CVE-2025-32463
https://github.com/daryllundy/CVE-2025-32463
https://github.com/KaiHT-Ladiant/CVE-2025-32463
https://github.com/aldoClau98/CVE-2025-32463
https://github.com/painoob/CVE-2025-32463
https://github.com/Yuy0ung/CVE-2025-32463_chwoot
https://github.com/blackcat4347/CVE-2025-32463_PoC
https://github.com/ashardev002/CVE-2025-32463_chwoot
https://github.com/nelissandro/CVE-2025-32463-Sudo-Chroot-Escape
https://github.com/AC8999/CVE-2025-32463

Other Nist (github, ...)

Url
https://www.secpod.com/blog/sudo-lpe-vulnerabilities-resolved-what-you-need-t...
https://www.stratascale.com/vulnerability-alert-CVE-2025-32463-sudo-chroot

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
175	Code Inclusion An adversary exploits a weakness on the target to force arbitrary code to be retrieved locally or from a remote location and executed. This differs from code injection in that code injection involves the direct inclusion of code while code inclusion involves the addition or replacement of a reference to a code file, which is subsequently loaded by the target and used as part of the code of some application.	Very High
201	Serialized Data External Linking An adversary creates a serialized data file (e.g. XML, YAML, etc...) that contains an external data reference. Because serialized data parsers may not validate documents with external references, there may be no checks on the nature of the reference in the external data. This can allow an adversary to open arbitrary files or connections, which may further lead to the adversary gaining access to information on the system that they would normally be unable to obtain. [Survey the target] Using a browser or an automated tool, an adversary records all instances of web services that process requests with serialized data. [Craft malicious payload] The adversary crafts malicious data message that contains references to sensitive files. [Launch an External Linking attack] Send the malicious crafted message containing the reference to a sensitive file to the target URL.	High
228	DTD Injection An attacker injects malicious content into an application's DTD in an attempt to produce a negative technical impact. DTDs are used to describe how XML documents are processed. Certain malformed DTDs (for example, those with excessive entity expansion as described in CAPEC 197) can cause the XML parsers that process the DTDs to consume excessive resources resulting in resource depletion. [Survey the target] Using a browser or an automated tool, an attacker records all instances of web services to process XML requests. [Determine use of XML with DTDs] Examine application input to identify XML input that leverage the use of one or more DTDs. [Craft and inject XML containg malicious DTD payload]	Medium
251	Local Code Inclusion The attacker forces an application to load arbitrary code files from the local machine. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways.	Medium
252	PHP Local File Inclusion The attacker loads and executes an arbitrary local PHP file on a target machine. The attacker could use this to try to load old versions of PHP files that have known vulnerabilities, to load PHP files that the attacker placed on the local machine during a prior attack, or to otherwise change the functionality of the targeted application in unexpected ways. [Survey application] Using a browser or an automated tool, an adversary follows all public links on a web site. They record all the links they find. The adversary is looking for URLs that show PHP file inclusion is used, which can look something like "http://vulnerable-website/file.php?file=index.php". [Attempt variations on input parameters] Once the adversary finds a vulnerable URL that takes file input, they attempt a variety of path traversal techniques to attempt to get the application to display the contents of a local file, or execute a different PHP file already stored locally on the server. [Include desired local file] Once the adversary has determined which techniques of path traversal successfully work with the vulnerable PHP application, they will target a specific local file to include. These can be files such as "/etc/passwd", "/etc/shadow", or configuration files for the application that might expose sensitive information.	Medium
253	Remote Code Inclusion The attacker forces an application to load arbitrary code files from a remote location. The attacker could use this to try to load old versions of library files that have known vulnerabilities, to load malicious files that the attacker placed on the remote machine, or to otherwise change the functionality of the targeted application in unexpected ways.
263	Force Use of Corrupted Files This describes an attack where an application is forced to use a file that an attacker has corrupted. The result is often a denial of service caused by the application being unable to process the corrupted file, but other results, including the disabling of filters or access controls (if the application fails in an unsafe way rather than failing by locking down) or buffer overflows are possible.	Medium
538	Open-Source Library Manipulation Adversaries implant malicious code in open source software (OSS) libraries to have it widely distributed, as OSS is commonly downloaded by developers and other users to incorporate into software development projects. The adversary can have a particular system in mind to target, or the implantation can be the first stage of follow-on attacks on many systems. [Determine the relevant open-source code project to target] The adversary will make the selection based on various criteria: [Develop a plan for malicious contribution] The adversary develops a plan to contribute malicious code, taking the following into consideration: [Execute the plan for malicious contribution] Write the code to be contributed based on the plan and then submit the contribution. Multiple commits, possibly using multiple identities, will help obscure the attack. Monitor the contribution site to try to determine if the code has been uploaded to the target system.	High
549	Local Execution of Code An adversary installs and executes malicious code on the target system in an effort to achieve a negative technical impact. Examples include rootkits, ransomware, spyware, adware, and others.	High
640	Inclusion of Code in Existing Process The adversary takes advantage of a bug in an application failing to verify the integrity of the running process to execute arbitrary code in the address space of a separate live process. The adversary could use running code in the context of another process to try to access process's memory, system/network resources, etc. The goal of this attack is to evade detection defenses and escalate privileges by masking the malicious code under an existing legitimate process. Examples of approaches include but not limited to: dynamic-link library (DLL) injection, portable executable injection, thread execution hijacking, ptrace system calls, VDSO hijacking, function hooking, reflective code loading, and more. [Determine target process] The adversary determines a process with sufficient privileges that they wish to include code into. [Attempt to include simple code with known output] The adversary attempts to include very simple code into the existing process to determine if the code inclusion worked. The code will differ based on the approach used to include code into an existing process. [Include arbitrary code into existing process] Once an adversary has determined that including code into the existing process is possible, they will include code for a targeted purpose, such as accessing that process's memory.	High
660	Root/Jailbreak Detection Evasion via Hooking An adversary forces a non-restricted mobile application to load arbitrary code or code files, via Hooking, with the goal of evading Root/Jailbreak detection. Mobile device users often Root/Jailbreak their devices in order to gain administrative control over the mobile operating system and/or to install third-party mobile applications that are not provided by authorized application stores (e.g. Google Play Store and Apple App Store). Adversaries may further leverage these capabilities to escalate privileges or bypass access control on legitimate applications. Although many mobile applications check if a mobile device is Rooted/Jailbroken prior to authorized use of the application, adversaries may be able to "hook" code in order to circumvent these checks. Successfully evading Root/Jailbreak detection allows an adversary to execute administrative commands, obtain confidential data, impersonate legitimate users of the application, and more. [Identify application with attack potential] The adversary searches for and identifies a mobile application that could be exploited for malicious purposes (e.g. banking, voting, or medical applications). [Develop code to be hooked into chosen target application] The adversary develops code or leverages existing code that will be hooked into the target application in order to evade Root/Jailbreak detection methods. [Execute code hooking to evade Root/Jailbreak detection methods] Once hooking code has been developed or obtained, execute the code against the target application to evade Root/Jailbreak detection methods.	Very High
695	Repo Jacking [Identify target] The adversary must first identify a target repository that is commonly used and whose owner/maintainer has either changed/deleted their username or transferred ownership of the repository and then deleted their account. The target should typically be a popular and widely used package, as to increase the scope of the attack. [Recreate initial repository path] The adversary re-registers the account that was renamed/deleted by the target repository's owner/maintainer and recreates the target repository with malicious code intended to exploit an application. These steps may need to happen in reverse (i.e., recreate repository and then rename an existing account to the target account) if protections are in place to prevent repository reuse. [Exploit victims] The adversary's malicious code is incorporated into applications that directly reference the initial repository, which further allows the adversary to conduct additional attacks.	High
698	Install Malicious Extension [Identify target(s)] The adversary must first identify target software that allows for extensions/plugins and which they wish to exploit, such as a web browser or desktop application. To increase the attack space, this will often be popular software with a large user-base. [Create malicious extension] Having identified a suitable target, the adversary crafts a malicious extension/plugin that can be installed by the underlying target software. This malware may be targeted to execute on specific operating systems or be operating system agnostic. [Install malicious extension] The malicious extension/plugin is installed by the underlying target software and executes the adversary-created malware, resulting in a variety of negative technical impacts.	High

MITRE

Techniques

id	description
T1055	Process Injection
T1176	Browser Extensions
T1195.001	Supply Chain Compromise: Compromise Software Dependencies and Development Tools
T1505.004	Server Software Component: IIS Components
T1505.005	Server Software Component: Terminal Services DLL
T1574.006	Hijack Execution Flow:Dynamic Linker Hijacking
T1574.013	Hijack Execution Flow: KernelCallbackTable
T1620	Reflective Code Loading
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id	description
M1026	Utilize Yama (ex: /proc/sys/kernel/yama/ptrace_scope) to mitigate ptrace based process injection by restricting the use of ptrace to privileged users only. Other mitigation controls involve the deployment of security kernel modules that provide advanced access control and process restrictions such as SELinux, grsecurity, and AppArmor.
M1017	Close out all browser sessions when finished using them to prevent any potentially malicious extensions from continuing to run.
M1016	Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well.
M1026	Do not allow administrator accounts that have permissions to add IIS components to be used for day-to-day operations that may expose these permissions to potential adversaries and/or other unprivileged systems.
M1024	Consider using Group Policy to configure and block modifications to Terminal Services parameters in the Registry.
M1028	When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions. Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.
M1040	Some endpoint security solutions can be configured to block some types of behaviors related to process injection/memory tampering based on common sequences of indicators (ex: execution of specific API functions).
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee

cpe	start	end
Configuration 1
cpe:2.3:a:sudo_project:sudo::::::::	>= 1.9.14	< 1.9.17
cpe:2.3:a:sudo_project:sudo:1.9.17:-::::::
Configuration 2
cpe:2.3:o:canonical:ubuntu_linux:22.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:24.04::::lts:::
cpe:2.3:o:canonical:ubuntu_linux:24.10::::-:::
cpe:2.3:o:canonical:ubuntu_linux:25.04::::-:::
cpe:2.3:o:debian:debian_linux:11.0:::::::*
cpe:2.3:o:debian:debian_linux:12.0:::::::*
cpe:2.3:o:debian:debian_linux:13.0:::::::*
cpe:2.3:o:opensuse:leap:15.6:::::::*
cpe:2.3:o:redhat:enterprise_linux:10.0:::::::*
cpe:2.3:o:suse:linux_enterprise_desktop:15:sp6::::::
cpe:2.3:o:suse:linux_enterprise_desktop:15:sp7::::::
cpe:2.3:o:suse:linux_enterprise_real_time:15.0:sp2::::::
cpe:2.3:o:suse:linux_enterprise_real_time:15.0:sp6::::::
cpe:2.3:o:suse:linux_enterprise_real_time:15.0:sp7::::::
cpe:2.3:o:suse:linux_enterprise_server_for_sap:12:sp6::::::
cpe:2.3:o:suse:linux_enterprise_server_for_sap:12:sp7::::::