12-Year-Old Sudo Linux Vulnerability Enables Privilege Escalation to Root User

A significant security vulnerability discovered in the widely used Sudo utility has remained hidden for over 12 years, potentially exposing millions of Linux and Unix systems to privilege escalation attacks. 

The vulnerability identified as CVE-2025-32462 allows unauthorized users to gain root access on affected systems by exploiting the Sudo host option functionality.

Key Takeaways
1. 12-Year-Old Vulnerability, CVE-2025-32462 in Sudo's -h option has allowed root escalation since 2013.
2. Affects Sudo versions 1.8.8-1.9.17 across Linux/Unix systems including Ubuntu and macOS.
3. Uses built-in functionality to bypass Host/Host_Alias security restrictions.
4. Patch to Sudo 1.9.17p1+ immediately - no workaround available.

The Stratascale Cyber Research Unit (CRU) team discovered this critical flaw, which has been present since the implementation of the -h (–host) option in Sudo version 1.8.8, released in September 2013.

Sudo Privilege Escalation Vulnerability

The CVE-2025-32462 vulnerability exploits a fundamental flaw in how Sudo processes the -h or –host option when used with commands other than the list operation (-l). 

While the documentation explicitly states that the host option should only work “in conjunction with the -l (–list) option,” the vulnerability allows malicious actors to execute privileged commands by specifying remote host rules that bypass local security restrictions.

The vulnerability specifically targets environments using Host or Host_Alias directives in their /etc/sudoers configuration files. 

When a user executes commands like sudo -h dev.test.local -i or sudoedit -h ci.test.local /etc/passwd, the system incorrectly treats remote host rules as valid for the local machine, effectively circumventing intended access controls and granting unauthorized root privileges.

Affected versions include Stable 1.9.0 through 1.9.17 and Legacy 1.8.8 through 1.8.32. The vulnerability has been verified on Ubuntu 24.04.1 with Sudo versions 1.9.15p5 and 1.9.16p2, as well as macOS Sequoia 15.3.2 with Sudo 1.9.13p2. 

Notably, this privilege escalation requires no exploit code, as it leverages built-in Sudo functionality.

A recent Elevation of Privilege vulnerability in Sudo’s chroot feature allows any local unprivileged user to gain root access, posing a serious security risk. Users and administrators should be aware of and take necessary actions.

Mitigations

System administrators must immediately update to Sudo version 1.9.17p1 or later to address this vulnerability. 

No workaround exists for this issue, making prompt patching essential for maintaining system security. Security teams should conduct comprehensive audits of their Sudo configurations by searching for any usage of Host or Host_Alias options in /etc/sudoers and files under /etc/sudoers.d. 

For environments storing Sudo rules in LDAP, administrators should use tools like ldapsearch to dump and review all rules.

The discovery highlights the importance of regular security audits of critical system utilities and demonstrates how long-standing vulnerabilities can remain undetected in widely-deployed software components.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now