Hackers are actively exploiting a critical vulnerability (CVE-2025-32463) in the sudo package that enables the execution of commands with root-level privileges on Linux operating systems.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, describing it as “an inclusion of functionality from untrusted control sphere.”
CISA has given federal agencies until October 20 to apply the official mitigations or discontinue the use of sudo.
A local attacker can exploit this flaw to escalate privileges by using the -R (–chroot) option, even if they are not included in the sudoers list, a configuration file that specifies which users or groups are authorized to execute commands with elevated permissions.
Sudo (“superuser do”) allows system administrators to delegate their authority to certain unprivileged users while logging the executed commands and their arguments.
Officially disclosed on June 30, CVE-2025-32463 affects sudo versions 1.9.14 through 1.9.17 and has received a critical severity score of 9.3 out of 10.
“An attacker can leverage sudo’s -R (–chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file,” explains the security advisory.
Rich Mirch, a researcher at cybersecurity services company Stratascale who discovered CVE-2025-32463, noted that the issue impacts the default sudo configuration and can be exploited without any predefined rules for the user.
On July 4, Mirch released a proof-of-concept exploit for the CVE-2025-32463 flaw, which has existed since June 2023 with the release of version 1.9.14.
However, additional exploits have circulated publicly since July 1, likely derived from the technical write-up.
CISA has warned that the CVE-2025-32463 vulnerability in sudo is being exploited in real-world attacks, although the agency has not specified the types of incidents in which it has been leveraged.
Organizations worldwide are advised to use CISA’s Known Exploited Vulnerabilities catalog as a reference for prioritizing patching and implementing other security mitigations.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
