Two Critical Sudo Vulnerabilities Patched in Version 1.9.17p1
Researchers have uncovered two critical security vulnerabilities in the Sudo utility, which allows local attackers to escalate privileges to root on susceptible machines. The vulnerabilities were addressed in Sudo version 1.9.17p1, released late last month, according to The Hacker News.
The first vulnerability, CVE-2025-32462, has remained undetected for over 12 years, affecting the ‘-h’ (host) option in Sudo. This feature, introduced in September 2013, enables an attacker to execute commands allowed on a remote host on the local machine. Todd C. Miller, the Sudo project maintainer, noted that the flaw primarily impacts systems using a common sudoers file distributed across multiple machines and those leveraging LDAP-based sudoers configurations.
The second vulnerability, CVE-2025-32463, exploits the ‘-R’ (chroot) option to execute arbitrary commands as root without specific sudoers file entries. The Sudo project maintainer emphasized that these bugs highlight the necessity of maintaining up-to-date systems. The chroot option is slated for removal in future Sudo releases due to its inherent error-prone nature.