The US cybersecurity agency CISA on Monday warned that a recently patched local privilege escalation vulnerability in Sudo has been exploited in the wild.
A command-line utility for Linux and macOS, Sudo enables specified users to execute commands with root or administrator privileges without having to log in as superuser. A Windows implementation of the Sudo concept also exists, but it is not a fork or port of the Unix project.
Because of the elevated temporary access that Sudo provides on Linux and macOS, only users configured in a sudoers file are permitted to execute commands via Sudo.
The security defect flagged as exploited by CISA, tracked as CVE-2025-32463 (CVSS score of 9.3), allows any user to execute commands using Sudo, even if they are not configured in the sudoers file.
Successful exploitation of the bug is only possible on systems that support /etc/nsswitch.conf, as it requires for the attacker to create an /etc/nsswitch.conf file under a user-specified root directory and then use the chroot feature to trick Sudo into loading it.
The bug was introduced in 2023 in Sudo version 1.9.14 and was resolved in June with the release of Sudo version 1.9.17p1, which deprecated the chroot feature and removed the option to run commands with a user-selected root directory.
CISA now warns that the CVE has been exploited in attacks, urging federal agencies to address it in their environments within the next three weeks, as mandated by the Binding Operational Directive (BOD) 22-01.
There have been no reports on CVE-2025-32463 being exploited in the wild prior to CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog. However, proof-of-concept (PoC) exploits have been available since July.
On Monday, the cybersecurity agency also added to KEV three recently disclosed vulnerabilities in Cisco IOS and IOS XE (CVE-2025-20352), Fortra GoAnywhere MFT (CVE-2025-10035), and Libraesva Email Security Gateway (CVE-2025-59689), all three marked as exploited last week.
Additionally, CISA added to KEV CVE-2021-21311, a server-side request forgery (SSRF) flaw in Adminer, which was first flagged as exploited in 2022.
While BOD 22-01 only applies to federal agencies, all organizations are advised to review CISA’s KEV list and apply the recommended mitigations for the vulnerabilities it describes.
Related: Akira Ransomware’s Exploitation of SonicWall Vulnerability Continues
Related: Decade-Old Pixie Dust Wi-Fi Hack Still Impacts Many Devices
Related: Academics Build AI-Powered Android Vulnerability Discovery and Validation Tool
Related: Vulnerabilities Expose exacqVision Video Surveillance Systems to Remote Attacks
