A critical vulnerability has been disclosed affecting Sudo versions 1.9.14 through 1.9.17 that can allow a local, non-privileged user to escalate to root. A proof-of-concept (PoC) exploit is publicly available, so immediate attention is required.
What you need to know
The issue is triggered by how Sudo handles chroot operations. A PoC demonstrates local privilege escalation to root.
The flaw can bypass sudoers restrictions in some cases, allowing root access even for accounts not explicitly granted sudo privileges.
Affected systems include many major Linux distributions that shipped the vulnerable Sudo versions (for example: Ubuntu, Red Hat, Debian families).
The vulnerability is tracked as CVE-2025-32463 and has been rated Critical (CVSS 9.3).
Patches addressing the issue have been released (Sudo 1.9.17p1 and later).
CISA has added this CVE to its Known Exploited Vulnerabilities catalog.
Recommended mitigations (prioritize immediately)
- Patch now
Upgrade Sudo to 1.9.17p1 or later on all affected hosts. Prioritize internet-facing, multi-user, shared, and container/VM host systems first. Test upgrades in staging before mass rollout where possible. - Limit use of –chroot
Disable or avoid using Sudo’s –chroot option where feasible until systems are patched. - Apply additional controls
Use mandatory access control (MAC) frameworks such as SELinux or AppArmor to constrain Sudo and reduce the attack surface. - Hunt and monitor
- Search logs for unexpected uses of sudo combined with chroot or other unusual invocations.
- Monitor for anomalous privilege escalation attempts and new local root shells
- Increase alerting sensitivity for local account activity on multi-user systems.
- Audit privilege paths
Review privileged access and local privilege escalation paths in your environment (especially in shared and containerized environments). Harden accounts and reduce unnecessary sudo access. - Contain and investigate
If you detect suspicious activity or signs of exploitation, isolate compromised hosts, preserve logs and disk images for forensic analysis, and follow your incident response procedures.
One simple update can stop a full system compromise.
Detection tips
Check the installed Sudo version to identify vulnerable hosts.
Grep logs (e.g., /var/log/auth.log, journalctl) for recent sudo / chroot usage.
Look for newly created root shells, unexpected root-owned processes, or unauthorized changes to system files.
Notes on exploit details
Do not attempt to reproduce PoC exploits on production systems. Public PoCs help defenders and attackers alike; use them only in isolated test environments and only if you understand the risks.