Sudo - Local Privilege Escalation via chroot

CVE-2025-32463

Verified

Description

Sudo before 1.9.17p1 allows local users to obtain root access by using /etc/nsswitch.conf from a user-controlled directory with the --chroot (-R) option.

Severity

Critical

CVSS Score

9.3

Exploit Probability

57%

Published Date

September 13, 2025

Template Author

seungah-hong

CVE-2025-32463.yaml

id: CVE-2025-32463

info:
  name: Sudo - Local Privilege Escalation via chroot
  author: SeungAh-Hong
  severity: critical
  description: |
    Sudo before 1.9.17p1 allows local users to obtain root access by using /etc/nsswitch.conf from a user-controlled directory with the --chroot (-R) option.
  impact: |
    A local attacker can escalate privileges to root by placing a crafted nsswitch.conf file and a malicious NSS library in a writable chroot directory, enabling arbitrary code execution with root privileges.
  remediation: |
    Upgrade sudo to version 1.9.17p1 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32463
    - https://www.sudo.ws/security/advisories/chroot_bug/
    - https://ubuntu.com/security/CVE-2025-32463
    - https://www.wiz.io/vulnerability-database/cve/cve-2025-32463
    - https://explore.alas.aws.amazon.com/CVE-2025-32463.html
  classification:
    cve-id: CVE-2025-32463
    epss-score: 0.57345
    epss-percentile: 0.9818
    cvss-score: 9.3
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cwe-id: CWE-426
  metadata:
    verified: true
  tags: cve,cve2025,sudo,priv-esc,linux,lpe,kev,vkev

self-contained: true

flow: code(1) && code(2)

code:
  - engine:
      - sh
      - bash
    source: |
      whoami

    matchers:
      - type: word
        part: response
        words:
          - "root"
        negative: true

  - engine:
      - sh
      - bash
    source: |
      OUT="$(sudo -n -R woot woot 2>&1 || true)"
      printf "%s\n" "$OUT"

    matchers-condition: and
    matchers:
      - type: regex
        part: response
        regex:
          - '(?i).*woot.*no such file or directory.*'

      - type: dsl
        dsl:
          - "!contains(tolower(response), 'password')"
          - "!contains(tolower(response), 'a password is required')"
          - "!contains(tolower(response), 'is not in the sudoers file')"
# digest: 4b0a00483046022100a92f71042fcf4b8d3487e5b88950ce3f40a33126aa913361a3bfd27225d22512022100bff6342d19217bb1728c5b687045a1faf0bb63653ecc3481704ae732fe33c9a7:922c64590222798bb761d5b6d8e72950

9.3Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CVE ID:

cve-2025-32463

CWE ID:

cwe-426

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32463 https://www.sudo.ws/security/advisories/chroot_bug/https://ubuntu.com/security/CVE-2025-32463 https://www.wiz.io/vulnerability-database/cve/cve-2025-32463 https://explore.alas.aws.amazon.com/CVE-2025-32463.html

Remediation Steps

Upgrade sudo to version 1.9.17p1 or later.

id: CVE-2025-32463

info:
  name: Sudo - Local Privilege Escalation via chroot
  author: SeungAh-Hong
  severity: critical
  description: |
    Sudo before 1.9.17p1 allows local users to obtain root access by using /etc/nsswitch.conf from a user-controlled directory with the --chroot (-R) option.
  impact: |
    A local attacker can escalate privileges to root by placing a crafted nsswitch.conf file and a malicious NSS library in a writable chroot directory, enabling arbitrary code execution with root privileges.
  remediation: |
    Upgrade sudo to version 1.9.17p1 or later.
  reference:
    - https://nvd.nist.gov/vuln/detail/CVE-2025-32463
    - https://www.sudo.ws/security/advisories/chroot_bug/
    - https://ubuntu.com/security/CVE-2025-32463
    - https://www.wiz.io/vulnerability-database/cve/cve-2025-32463
    - https://explore.alas.aws.amazon.com/CVE-2025-32463.html
  classification:
    cve-id: CVE-2025-32463
    epss-score: 0.57345
    epss-percentile: 0.9818
    cvss-score: 9.3
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cwe-id: CWE-426
  metadata:
    verified: true
  tags: cve,cve2025,sudo,priv-esc,linux,lpe,kev,vkev

self-contained: true

flow: code(1) && code(2)

code:
  - engine:
      - sh
      - bash
    source: |
      whoami

    matchers:
      - type: word
        part: response
        words:
          - "root"
        negative: true

  - engine:
      - sh
      - bash
    source: |
      OUT="$(sudo -n -R woot woot 2>&1 || true)"
      printf "%s\n" "$OUT"

    matchers-condition: and
    matchers:
      - type: regex
        part: response
        regex:
          - '(?i).*woot.*no such file or directory.*'

      - type: dsl
        dsl:
          - "!contains(tolower(response), 'password')"
          - "!contains(tolower(response), 'a password is required')"
          - "!contains(tolower(response), 'is not in the sudoers file')"
# digest: 4b0a00483046022100a92f71042fcf4b8d3487e5b88950ce3f40a33126aa913361a3bfd27225d22512022100bff6342d19217bb1728c5b687045a1faf0bb63653ecc3481704ae732fe33c9a7:922c64590222798bb761d5b6d8e72950

Sudo - Local Privilege Escalation via chroot

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Sudo - Local Privilege Escalation via chroot

Description

Severity

CVSS Score

Exploit Probability

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps