A public proof-of-concept, PoC, has been published for CVE-2025-32463, a local privilege escalation flaw in the Sudo utility that can allow a local attacker to gain root privileges under certain configurations. Security researcher Rich Mirch discovered the issue, and a working exploit plus usage instructions are available in an open GitHub repository, increasing the pressure on administrators to patch Linux hosts that use Sudo’s chroot capability.
Technical
The fault lies in how Sudo manages chroot-related invocation paths and the execution environment when running commands with elevated privileges. In Sudo versions 1.9.14 through 1.9.17, under specific conditions, a low-privileged account can leverage the chroot feature to escape the restricted environment, then run commands as root, resulting in full system compromise when Sudo policies permit chroot execution.
The PoC shows a straightforward exploitation sequence, verify the target Sudo version, execute the exploit script, observe the effective UID and GID switch to root, confirming a successful escalation.
In test screenshots, the user’s UID moves from uid=1001 to uid=0 after running the script, demonstrating the escalation.
Affected versions, impact, prerequisites
- Affected products, Sudo versions 1.9.14 through 1.9.17, patches available in 1.9.17p1 and later.
- Impact, local privilege escalation to root.
- Exploit prerequisites, local account access, and the ability to invoke sudo when chroot usage is allowed by Sudo policies. Note, legacy Sudo releases prior to 1.9.14 lack the chroot feature and are not affected.
Risk considerations
This vulnerability turns a common local privilege escalation scenario into a full system compromise when Sudo is configured to allow chroot execution. Weaponization depends on an attacker already having a local account, and on permissive Sudoers policies that permit chroot operations.
Mitigations and recommended actions
- Patch immediately where possible, upgrade Sudo to version 1.9.17p1 or newer across impacted hosts.
- If upgrades must be staged, harden Sudoers rules to deny or strictly limit chroot usage, apply least privilege principles.
- Use mandatory access control, for example AppArmor or SELinux, to further restrict Sudo behavior and contain potential abuse paths during upgrade windows.
- Review and tighten sudoers entries that grant running shells or commands in chroot environments.
Detection guidance
Defenders should monitor for anomalous Sudo calls that reference chroot or unusual working directories, correlate privilege transitions where non-root accounts suddenly observe uid 0, and alert on rapid sequences like id, exploit, id, which are common during exploitation checks. Logging and correlation across endpoints will help identify suspicious escalation attempts.
