BURSTA critical vulnerability in the widely used Sudo utility has come under scrutiny following the public release of a proof-of-concept exploit, raising alarms for Linux system administrators worldwide.
CVE-2025-32463 targets the chroot feature in Sudo versions 1.9.14 through 1.9.17, enabling local attackers to escalate privileges to root level with minimal effort.
Discovered by security researcher Rich Mirch, this flaw exploits how Sudo handles user-specified root directories, potentially allowing unauthorized command execution as the superuser.
The issue, rated at a CVSS score of 9.3, critical, underscores ongoing risks in privilege management tools essential to Unix-like operating systems.
Reports indicate active exploitation in the wild, prompting urgent calls for patching from organizations like CISA.
This development arrives amid a surge in Sudo-related vulnerabilities, highlighting the tool’s persistent role as a prime target for attackers seeking deeper system access.
The vulnerability stems from Sudo’s improper resolution of paths when using the –chroot option, introduced in version 1.9.14 to support user-defined root environments.
In affected versions, an attacker can craft a malicious /etc/nsswitch.conf file within a controlled directory, tricking Sudo into loading an arbitrary shared library during command evaluation.
This bypasses sudoers file restrictions, granting root privileges even to users not explicitly authorized for escalation.
Rich Mirch identified the issue through analysis of Sudo’s path resolution logic, noting that the chroot feature’s implementation creates an error-prone vector for local privilege escalation.
The flaw does not require network access or high privileges, making it particularly dangerous in multi-user environments like servers and development machines.
Stratascale’s advisory details how this could lead to full system compromise, including data exfiltration or malware deployment.
Ubuntu and Red Hat have confirmed the vulnerability affects their distributions, with patches rolled out in recent updates.
Proof Of Concept Demonstration
The GitHub repository by researcher kh4sh3i provides a straightforward PoC exploit, demonstrating the escalation in a controlled setting.
Users clone the repository, navigate to the directory, and make the exploit.sh script executable, and run it after checking their initial user ID.
The script leverages the chroot option to manipulate Sudo’s environment, resulting in a successful privilege gain as evidenced by the post-execution ID output showing root access.
Terminal screenshots in the repo illustrate the process: starting as a low-privilege user in the lowuser group, the exploit executes via sudo, flipping the context to root@test with full administrative capabilities.
This visual proof, mirroring the attached demonstration image, confirms the vulnerability’s reliability on unpatched systems.
While intended for educational use, the PoC emphasizes the need for caution, as unauthorized deployment constitutes illegal activity. Exploit-DB hosts a similar script, underscoring the ease of adaptation for malicious purposes.
Systems running vulnerable Sudo versions face severe risks, including complete takeover by local threat actors, which could facilitate lateral movement in breached networks.
Affected products span major Linux distributions: Ubuntu 24.04 LTS, 24.10, and 25.04; Red Hat Enterprise Linux variants; and Debian-based setups with Sudo 1.9.14-1.9.17.
Legacy versions before 1.9.14 remain unaffected due to the absence of chroot support. Immediate mitigation involves updating to Sudo 1.9.17p1 or later, where the feature is deprecated and the path resolution flaw is reverted.
Administrators should enable AppArmor or SELinux profiles to constrain Sudo operations and monitor logs for suspicious chroot invocations.
CISA has added this CVE to its Known Exploited Vulnerabilities catalog, mandating federal agencies to apply patches by October 2025.
| Aspect | Details |
|---|---|
| CVE ID | CVE-2025-32463 |
| CVSS v3.1 Score | 9.3 (Critical) |
| Attack Vector | Local |
| Impact | High Confidentiality, Integrity, Availability |
| Affected Versions | Sudo 1.9.14 – 1.9.17 |
| Patched Versions | 1.9.17p1+ |
Organizations delaying updates risk heightened exposure, especially in cloud and containerized environments reliant on Sudo for automation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post New PoC Exploit Released for Sudo Chroot Privilege Escalation Vulnerability appeared first on Cyber Security News.