Notifications
Clear all
Topic starter
07/06/2026 9:20 pm
TL;DR: Two sudo vulnerabilities, CVE-2025-32462 and CVE-2025-32463, let local users bypass host checks or load malicious libraries with root privileges, affecting Linux and macOS systems and prompting CISA KEV inclusion for the latter, according to Oligo Security. The bigger lesson is that privilege boundaries built for stable administrative workflows fail fast when elevation paths are exploitable at runtime.
NHIMG editorial — based on content published by Oligo Security: New sudo vulnerabilities, CVE-2025-32462 and CVE-2025-32463
By the numbers:
- CVE-2025-32463 was updated to the CISA Known Exploited Vulnerabilities catalog on September 29, 2025.
- CVE-2025-32463 carries a Critical rating with a CVSS score of 9.3.
- CVE-2025-32462 affects versions 1.8.8 through 1.9.17.
Questions worth separating out
Q: What breaks when sudo privilege checks can be bypassed locally?
A: A local user can move from limited command execution to root-level control without crossing the normal policy boundary.
Q: Why does sudo exploitation matter for IAM and PAM teams?
A: Because sudo is a privilege boundary, not just a Linux utility.
Q: How do security teams know whether sudo exposure is really closed?
A: They need to verify the active binary, not only the patch ticket or package record.
Practitioner guidance
- Verify the live sudo binary on every host Confirm sudo 1.9.17p1 or the distro backport is the version actually executing, not just the version recorded in the package database.
- Review host-specific sudoers rules Search /etc/sudoers* for host-scoped entries that are not ALL, then convert them to group-based or tag-based controls where possible.
- Remove deprecated chroot directives Disable use_chroot and delete CHROOT= or runchroot=* directives so privilege checks cannot be paired with attacker-controlled filesystem state.
What's in the full article
Oligo Security's full post covers the operational detail this post intentionally leaves for the source:
- Step-by-step remediation guidance for CVE-2025-32462 and CVE-2025-32463 across Linux distributions and macOS
- Command-level examples for spotting improper -h and --chroot usage during privilege escalation attempts
- Runtime detection details for identifying vulnerable sudo versions even when package records look current
- Hardening guidance for writable system paths that can be abused during root transitions
👉 Read Oligo Security's analysis of the new sudo privilege escalation flaws →
Sudo privilege escalation flaws: what IAM teams need to know?
Explore further
08/06/2026 9:14 am
Root escalation is an identity boundary failure, not just a patching issue: sudo sits on the line between ordinary user context and privileged execution, so defects here reclassify a local identity into a root actor. That makes the problem relevant to IAM, PAM, and workload governance, not only host operations. When the elevation layer is wrong, the identity programme has already lost the boundary it thought it controlled.
A few things that frame the scale:
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which is why runtime verification matters when privilege paths are being assessed.
A question worth separating out:
Q: Who is accountable when a sudo flaw allows root escalation?
A: Accountability sits with the team that owns privileged access governance and host hardening, because this is a control-boundary failure rather than a user mistake. In regulated environments, incident response, configuration management, and access governance all share responsibility for proving that privileged execution paths are current and constrained.
👉 Read our full editorial: Sudo privilege escalation flaws expose NHI governance gaps
