CISA Adds Critical Sudo “chroot” Flaw to KEV

by | Sep 30, 2025 | News

CISA Adds Critical Sudo “chroot” Flaw to KEV

Post Views: 134




Join our Patreon Channel and Gain access to 70+ Exclusive Walkthrough Videos.

Patreon
Reading Time: 3 Minutes

What CISA announced

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-32463 — a critical privilege-escalation bug in Sudo — to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation in the wild and setting a due date of October 20, 2025 for required mitigations for federal agencies.

The vulnerability in brief

CVE-2025-32463 (CVSS 9.3) impacts Sudo versions prior to 1.9.17p1 and can allow a local attacker to escalate to root by abusing the -R (--chroot) option — specifically because sudo may use /etc/nsswitch.conf from a user-controlled directory when operating inside a chroot.

Who discovered it and when

The flaw was disclosed by Rich Mirch of Stratascale’s Cyber Research Unit; Stratascale published technical details and coordinated disclosure with the Sudo maintainer. Vendors and major distributions have since released patches or mitigations directing users to upgrade to sudo 1.9.17p1 or later.

See Also: So, you want to be a hacker?
Offensive Security, Bug Bounty Courses



Discover your weakest link. Be proactive, not reactive. Cybercriminals need just one flaw to strike.

Evidence of exploitation and scope

CISA’s KEV listing explicitly notes active exploitation and places the Sudo entry alongside other recently added actively exploited CVEs — giving agencies a firm mitigation deadline and signalling that defenders should treat the issue as urgent. Public reporting and vendor advisories corroborate that this is a high-impact local privilege escalation affecting many Linux/Unix distributions.

Mitigation and remediation steps

Administrators should take these immediate actions:

  • Upgrade Sudo to 1.9.17p1 or later from vendor packages or the upstream Sudo advisory.
  • If immediate upgrade is not feasible, isolate or restrict access to systems where untrusted local accounts exist (e.g., container hosts, multi-user servers, build servers).
  • Audit sudoers rules and the use of -R/--chroot in automation or scripts; remove or constrain chroot usage where possible.
  • Harden logging and detection for local privilege-escalation attempts and monitor for anomalous sudo or chroot-related activity.

Trending: OS Command Injection via ‘lang’ Parameter in Fortinet VPN SSL Interface




Trending: Offensive Security Tool: FaceDancer

Additional CVEs added to the KEV batch

CISA’s KEV addition in the same update included four other flaws — in Adminer, Cisco IOS/IOS XE, Fortra GoAnywhere MFT, and Libraesva ESG — all carrying the same KEV due date guidance (October 20, 2025). Agencies should treat this update as part of a wider forced-priority patching window. 

Bottom line

Patch Sudo now (1.9.17p1 or newer), verify your sudoers and chroot usage, and prioritize systems exposed to multiple local users. CISA’s KEV designation and the October 20 deadline underscore that this is not a routine update — it’s a widely impactful, actively exploited vulnerability that needs immediate attention.

Trending: Kali Linux 2025.3 released with 10 New Tools, Nexmon Wi-Fi Injection for Raspberry Pi and Vagrant Updates

Are u a security researcher? Or a company that writes articles about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing? If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com, cisa.com, thehackernews.com, stratascale.com

Sources:
Thehackernews
CISA
Stratascale.com

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This