Overview

Serious privilege escalation risks in Linux and macOS systems

Two newly discovered vulnerabilities in sudo -  the standard tool for running commands with elevated privileges - have opened up straightforward paths for attackers to gain root access on systems. These flaws impact a wide range of Linux distributions and macOS systems. If left unpatched, they let any local user quickly escalate privileges, disable security measures, and move deeper into the network.

In short

Two significant vulnerabilities were discovered in sudo and patched in version 1.9.17p1 (June 2025). The first, CVE-2025-32462, known as a “Policy-Check Flaw”, is rated high severity and affects versions 1.8.8 through 1.9.17. It allows attackers to bypass host checks and execute commands as root. The second, CVE-2025-32463, dubbed a “chroot to root” bug, carries a Critical rating (CVSS 9.3) and affects versions 1.9.14 through 1.9.17; it enables attackers to load malicious libraries with root privileges. While major Linux distributions have shipped patches, some systems may still lag behind.

A closer look at each vulnerability

CVE-2025-32462 — “Policy-Check Flaw”

The -h / --host option in sudo was intended only for sudo -l (listing privileges). In affected versions, it could be added to any command. This tricked sudo into thinking it was on a permitted host, allowing someone with even minimal sudo access to run commands as root, bypassing host-specific rules.

The fix ensures -h is rejected unless used with -l.

CVE-2025-32463 — “chroot to root”

This issue involves sudo’s -R / --chroot option. Older versions would switch into the specified directory before fully evaluating privileges. An attacker could prepare a writable directory (for example under /tmp), place a fake /etc/nsswitch.conf and a malicious libnss_*.so library there, and then invoke sudo. Sudo would load the attacker’s code as root.

The latest sudo release disables this chroot behavior during policy checks.

Recommended Actions

CVE-2025-32462

  1. Install sudo 1.9.17p1 (or your distro’s back-ported package) on every host, then verify with sudo -V
  2. Review host-specific rules - Search /etc/sudoers*  for rules whose host field is not ALL. Convert them to group-based or tag-based controls where possible

CVE-2025-32463

  1. Install sudo 1.9.17p1 (or your distro’s back-ported package) on every host, then verify with sudo -V
  2. Disable deprecated features - Add Defaults !use_chroot and delete any CHROOT= / runchroot=* directives.”
  1. Harden world-writable areas - Remount /tmp, /var/tmp, /dev/shm with nosuid,nodev,noexec where operationally safe.

How Oligo helps: spotting both the vulnerable versions and exploit attempts

Exploits can happen throughout the kill chain. Oligo is focused on catching exploits wherever they happen during an attack: whether to gain initial access, or post-intrusion to inflict greater damage.

While patching is the first and best line of defense, the reality is that many production systems lag behind the latest secure versions. Some containers may continue to run older binaries for extended periods. Oligo helps customers identify whether they have vulnerable sudo versions, and by detecting exploit attempts of this vulnerability.

Identifying vulnerable sudo versions

Oligo continuously observes what’s actually running, including binary versions in memory. This means it can flag systems where sudo is still within the vulnerable range, even if the package database claims otherwise. This gives teams a practical, live view of their exposure.

Detecting exploitation attempts at runtime

Beyond tracking versions, Oligo provides deep, real-time monitoring of program behavior. The sensor records each process execution in detail — capturing execution flags, which libraries are loaded, and how privileges change. This level of visibility makes it possible to catch attempts to exploit these sudo flaws, such as:

  • Using -h improperly on commands that aren’t sudo -l

  • Loading unexpected libraries from attacker-controlled directories during privilege changes

This approach is more robust than simple syscall tracing. It focuses on understanding the full context around process execution, which is critical for spotting subtle privilege escalations.

We’ve explained more about this depth-first approach in our recent post on why not all eBPF-based sensors go deep enough.

Why this matters

Even organizations with strong patch management can be exposed to new risks. Oligo helps by:

  • Highlighting where vulnerable sudo versions are still in use
  • Detecting exploit attempts in real time
  • Providing rich, contextual data to speed up investigations

See how it works

If you’d like to see how Oligo picks up on these vulnerabilities and stops exploitation attempts in live environments, book a demo. We’d be happy to show you.

expert tips

Hadas Marzook
Hadas Marzook
Data & Threat Researcher

Subscribe and get the latest security updates

Built to Defend Modern & Legacy apps

Oligo deploys in minutes for modern cloud apps built on K8s or older apps hosted on-prem.