Following the disclosure of two local privilege escalation (LPE) vulnerabilities, CVE-2025-6018 and CVE-2025-6019, less than a month ago, that impact major Linux distributions, a new wave of security flaws targeting Linux systems has recently emerged. Security researchers have identified two local privilege escalation vulnerabilities, tracked as CVE-2025-32462 and CVE-2025-32463, that affect a widely used Sudo utility installed on diverse Linux distributions. 

Exploiting vulnerabilities continues to be one of the primary methods attackers use to gain initial access. In 2025, the use of this tactic surged by 34% compared to the previous year, contributing to a notable rise in security breaches. Over 24,500 vulnerabilities have been disclosed so far in 2025, with more than 2,500 reported issues impacting various Linux distributions. Although this is below the total number of security flaws recorded in 2024, the current pace of disclosures indicates that the total count for 2025 may ultimately exceed last year’s figure. This surge highlights a considerable exposure to potential threats, including vulnerabilities that may enable privilege escalation or grant full root access.

Privilege escalation vulnerabilities are still a significant concern in 2025, with several critical new flaws being reported, including the recently disclosed CVE-2025-49144, which affects Notepad++ version 8.8.1 and potentially leads to full system compromise. To stay ahead in this ever-evolving threat landscape, defenders should depend on up-to-date detection content and advanced threat-hunting capabilities.

Register for SOC Prime Platform to reach the global active threats feed, offering actionable CTI and curated detection algorithms to proactively thwart emerging threats at the earliest attack stages. SOC Prime Platform equips security teams with a comprehensive collection of vendor-agnostic Sigma rules for vulnerability exploitation detection that can be deployed across diverse SIEM, EDR, and Data Lake systems. All relevant detections are mapped to MITRE ATT&CK® and enriched with relevant metadata. Click the Explore Detections button to access the dedicated Sigma rules addressing current and existing vulnerabilities filtered by the “CVE” tag.

Explore Detections

Security engineers can also leverage Uncoder AI to optimize the entire detection engineering process, boosting both efficiency and threat coverage. Convert IOCs into custom hunting queries in an automated fashion, craft detection logic from real-time threat intelligence via AI, and build SOC-ready use cases with custom AI prompts. Additional features include syntax validation, refinement of detection logic, automated visualization of Attack Flows, and Sigma rule enrichment with comprehensive ATT&CK techniques and sub-techniques—all designed to elevate detection accuracy and accelerate response.

CVE-2025-32463 and CVE-2025-32462 Analysis

The Stratascale Cyber Research Unit has recently revealed a couple of LPE vulnerabilitiesin the Sudo command-line utility commonly used in Unix-like operating systems. Sudo allows non-privileged users to execute commands with elevated permissions, typically as the root user, without requiring full root login. These flaws (CVE-2025-32463 and CVE-2025-32462) impact several major Linux distributions, including Ubuntu and Fedora, and extend to macOS Sequoia, which is built on a Unix-based architecture.

CVE-2025-32463 is a critical vulnerability involving the --chroot (-R) option, which, if permitted by the sudoers policy, allows commands to be executed within a user-defined root directory.

In Sudo version 1.9.14, a change was introduced to resolve paths via chroot() while the sudoers file was still being parsed. This introduced a loophole that lets an attacker create a fake /etc/nsswitch.conf file in the specified chroot path. If the system supports the latter, Sudo can be tricked into loading a malicious shared library, potentially granting root access. This vulnerability affects versions 1.9.14 through 1.9.17. Legacy versions are not impacted since they lack support for the chroot option.

Another security issue, CVE-2025-32462, is a low-severity privilege escalation flaw that has existed in Sudo’s codebase for over 12 years and stems from improper enforcement of the --host (-h) option. This flag is intended to be used with the --list (-l) command to display a user’s sudo privileges for a different host. However, due to a bug, it could also be used when executing commands or editing files, not just listing permissions.

The vulnerability becomes exploitable when Sudo rules are restricted to specific hostnames or patterns. In such cases, privilege escalation to root can occur without the need for a sophisticated exploit. This issue affects both stable (v1.9.0–1.9.17) and legacy (v1.8.8–1.8.32) versions of Sudo.

Since no workarounds currently exist for these vulnerabilities, security experts recommend updating to Sudo version 1.9.17p1 as the primary CVE-2025-32463 and CVE-2025-32462 mitigation. This product release addresses both vulnerabilities. As Sudo is bundled by default with most mainstream Linux desktop distributions, users should ensure their systems have received the latest patches. Major distros like Ubuntu, Debian, and SUSE have already rolled out the necessary updates. 

With the surge in local privilege escalation flaws and the constantly rising risks of vulnerability exploitation across Linux distributions, it’s critical for defenders to stay vigilant and prioritize timely patching. Moreover, proactive threat detection and implementing future-proof strategies to strengthen defense are vital to minimizing exposure in an increasingly targeted threat landscape. Leveraging SOC Prime’s complete product suite, backed by AI, automation, and real-time CTI, empowers organizations to outscale cyber threats they anticipate most.