Critical Sudo Flaw Actively Exploited in Linux and Unix Systems

Threat actors are actively exploiting a critical vulnerability (CVE-2025-32463) in the sudo package that enables the execution of commands with root-level privileges on Linux and Unix operating systems.

An attacker can exploit this flaw to escalate privileges by using the -R (--chroot) option, even if they are not included in the sudoers list, a configuration file that specifies which users or groups are authorized to execute commands with elevated permissions.

Sudo (“superuser do”) allows system administrators to delegate their authority to certain unprivileged users while logging the executed commands and their arguments.

According to a U.S. Cybersecurity and Infrastructure Security Agency (CISA) alert, an exploit for this vulnerability exists in the wild.

Using grep, search your syslog for CHROOT= and review sudo command logs to find any unexpected chroot invocations.

Assume compromise if suspicious activity is found. Because the vulnerability yields a root shell outside the chroot, treat confirmed exploitation as a full compromise and report the incident to [email protected]. 

Upgrade to sudo 1.9.17p1 or later. This removes the risky behavior and deprecates the chroot feature.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

Please contact ITS Information Assurance through the ITS Service Center.

• CISA Sounds Alarm on Critical Sudo Flaw Actively Exploited in Linux and Unix Systems (The Hacker News, 9-30-2025)
• CISA warns of critical Linux Sudo flaw exploited in attacks (Bleeping Computer, 9-30-2025)
• CVE-2025-32463: Sudo Privilege Escalation Vulnerability Exploited, CISA Warns (SOC Radar, 10-01-2025)