Sudo privilege escalation flaws: what IAM teams need to know

TL;DR: Two sudo vulnerabilities, CVE-2025-32462 and CVE-2025-32463, let local users bypass host checks or load malicious libraries with root privileges, affecting Linux and macOS systems and prompting CISA KEV inclusion for the latter, according to Oligo Security. The bigger lesson is that privilege boundaries built for stable administrative workflows fail fast when elevation paths are exploitable at runtime.

NHIMG editorial — based on content published by Oligo Security: New sudo vulnerabilities, CVE-2025-32462 and CVE-2025-32463

By the numbers:

• CVE-2025-32463 was updated to the CISA Known Exploited Vulnerabilities catalog on September 29, 2025.
• CVE-2025-32463 carries a Critical rating with a CVSS score of 9.3.
• CVE-2025-32462 affects versions 1.8.8 through 1.9.17.

Questions worth separating out

Q: What breaks when sudo privilege checks can be bypassed locally?

A: A local user can move from limited command execution to root-level control without crossing the normal policy boundary.

Q: Why does sudo exploitation matter for IAM and PAM teams?

A: Because sudo is a privilege boundary, not just a Linux utility.

Q: How do security teams know whether sudo exposure is really closed?

A: They need to verify the active binary, not only the patch ticket or package record.

Practitioner guidance

• Verify the live sudo binary on every host Confirm sudo 1.9.17p1 or the distro backport is the version actually executing, not just the version recorded in the package database.
• Review host-specific sudoers rules Search /etc/sudoers* for host-scoped entries that are not ALL, then convert them to group-based or tag-based controls where possible.
• Remove deprecated chroot directives Disable use_chroot and delete CHROOT= or runchroot=* directives so privilege checks cannot be paired with attacker-controlled filesystem state.

What's in the full article

Oligo Security's full post covers the operational detail this post intentionally leaves for the source:

• Step-by-step remediation guidance for CVE-2025-32462 and CVE-2025-32463 across Linux distributions and macOS
• Command-level examples for spotting improper -h and --chroot usage during privilege escalation attempts
• Runtime detection details for identifying vulnerable sudo versions even when package records look current
• Hardening guidance for writable system paths that can be abused during root transitions

👉 Read Oligo Security's analysis of the new sudo privilege escalation flaws →

Sudo privilege escalation flaws: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →