12-Year-Old Linux Sudo Command Vulnerability Enables Privilege Escalation to Root

A critical vulnerability in the widely-used Sudo utility that has remained hidden for over 12 years, potentially affecting millions of Linux and Unix systems worldwide.

The vulnerability , designated CVE-2025-32462, allows authorized users to escalate their privileges to root access through a simple command manipulation, requiring no sophisticated exploit techniques.

The vulnerability has been present since Sudo version 1.8.8, released in September 2013, affecting all stable versions from 1.9.0 to 1.9.17 and legacy versions from 1.8.8 to 1.8.32.

The vulnerability specifically targets systems configured with Host or Host_Alias directives, which are commonly deployed in enterprise environments to manage access across multiple servers.

Exploitation has been successfully verified on Ubuntu 24.04.1 running Sudo versions 1.9.15p5 and 1.9.16p2, as well as macOS Sequoia 15.3.2 with Sudo 1.9.13p2.

What makes this vulnerability particularly concerning is that it requires no exploit code—attackers can leverage the built-in functionality of Sudo itself to bypass security restrictions.

Linux Sudo Command Vulnerability

The vulnerability centers around the misuse of Sudo’s -h (–host) option, originally designed to allow users to list their Sudo rules for different hosts.

According to the official documentation, this option was intended for use “only with the -l (–list) option” to display permissions for remote systems.

However, researchers discovered that the host option also functions with other Sudo operations, including sudoedit, directly contradicting its documented limitations.

When administrators configure Sudo rules to restrict access based on hostnames—for example, denying production server access while permitting development server privileges—the vulnerability allows users to bypass these restrictions.

By specifying the host option with a reference to an authorized remote host, attackers can execute the corresponding rule’s permissions on their local system, even when explicitly denied access.

The attack works because Sudo’s rule evaluation process treats the remote host specification as valid for the local machine, effectively circumventing the intended access controls.

For instance, a user denied root access on a production server can gain those privileges by referencing development server rules through the host option, despite the clear intention to restrict such access.

Detection Strategies

Security experts strongly recommend immediate installation of Sudo version 1.9.17p1 or later, which addresses this vulnerability.

No workaround exists for affected systems, making the upgrade essential for maintaining security integrity. The fix, developed by Sudo maintainer Todd Miller, restricts the host option to list operations only, preventing its misuse for privilege escalation.

Administrators should conduct comprehensive audits of their Sudo configurations, examining all rules in /etc/sudoers and files under /etc/sudoers.d for Host or Host_Alias usage.

Organizations storing Sudo rules in LDAP directories should utilize tools like ldapsearch to extract and review their configurations.

Given the vulnerability’s 12-year presence and the widespread use of host-based access controls in enterprise environments, this represents a significant security concern requiring immediate attention from system administrators worldwide.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.