Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2025-32463 -- CVSS 9.3 Vulnerability Briefing

CVE-2025-32463 | CVSS 9.3 (Critical) | Exploit: PoC available

What Is It

CVE-2025-32463 is a local privilege escalation vulnerability in Sudo (Project Sudo) before version 1.9.17p1, affecting distributions including Canonical Ubuntu Linux and Debian Linux, caused by improper handling of the --chroot option which allows a user-controlled /etc/nsswitch.conf to be loaded.

Technical Detail

When Sudo is invoked with the --chroot option, it resolves /etc/nsswitch.conf relative to the chroot directory specified by the user rather than enforcing a trusted system path. An attacker with local access can craft a malicious nsswitch.conf inside a directory they control, causing Sudo to load attacker-specified name service modules during privilege resolution. Successful exploitation results in full root privilege escalation on the affected host.

Exploitation Status

A proof-of-concept exploit is publicly available. There is no confirmed evidence of active in-the-wild exploitation at this time, and this CVE is not currently listed in the CISA Known Exploited Vulnerabilities catalog. The availability of a PoC lowers the barrier for exploitation and increases the likelihood of near-term abuse, particularly by local or authenticated attackers on multi-user systems.

Who Is Targeting This

No specific threat actor attribution at this time. No campaigns or targeted sectors have been identified in association with this vulnerability. Given the local access requirement, this vulnerability is most relevant as a post-exploitation privilege escalation step following initial access, which is a technique commonly used across a broad range of threat actor profiles.

What To Do

Upgrade Sudo to version 1.9.17p1 or later immediately on all affected systems running Ubuntu Linux, Debian Linux, or any distribution shipping a vulnerable Sudo build. Patch priority should be treated as high given the critical CVSS score of 9.3 and the availability of public PoC code. As an interim workaround, restrict or audit use of the --chroot option via sudoers policy, removing it from permitted command configurations where not operationally required. Detection efforts should focus on monitoring Sudo invocations that include the --chroot flag, particularly those referencing non-standard or user-writable directories, using endpoint logging or auditd rules targeting execve calls to the sudo binary.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →