THREAT OVERVIEW

SL-CSIRT warns all system administrators, organizations, and the general public about a newly disclosed critical vulnerability in the widely used sudo utility on Linux/Unix systems. The flaw, tracked as CVE-2025-32463 (CVSS 9.3), allows local attackers to execute arbitrary commands with root privileges, bypassing restrictions in the sudoers configuration.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that this vulnerability is being actively exploited in the wild, raising urgent concerns for national networks and infrastructures that rely on Linux-based systems.

AFFECTED SYSTEMS

• All Linux/Unix systems running sudo versions earlier than 1.9.17p1.

• Any environment where local user accounts exist, especially shared or multi-user systems.

POTENTIAL IMPACT

• Privilege Escalation: Attackers can gain root/admin control.

• System Compromise: Once root access is obtained, attackers can disable security tools, steal sensitive data, install malware, or pivot to other systems.

• Bypassing Access Controls: Exploit works even if the user is not listed in sudoers.

MITIGATION & RECOMMENDATIONS

SL-CSIRT strongly advises all organizations and individuals to take the following immediate actions:

1. Check sudo version:

2. sudo –versio:

         If below 1.9.17p1, your system is vulnerable.

3. Apply Patches/Updates:

o Update sudo to 1.9.17p1 or later, or apply distribution-specific security updates as soon as possible.

4. Restrict sudo usage:
o Temporarily avoid using sudo -R or –chroot.

o Limit local accounts and enforce the principle of least privilege.

5. Monitor & Audit Logs:
o Review system logs for unusual sudo activity.

o Deploy security monitoring tools (IDS/EDR) for early detection.

6. National Reporting:
o Report any suspicious exploitation attempts to SL-CSIRT immediately for coordination and response.

REFERENCE

o The Hackers News

o CISA

o SL-CSIRT