9.3
CVE-2025-32463
- EPSS 23.61%
- Published 30.06.2025 00:00:00
- Last modified 30.09.2025 13:30:30
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
This information is available to logged-in users. Login
Data is provided by the National Vulnerability Database (NVD)
Sudo Project ≫ Sudo Version >= 1.9.14 < 1.9.17
Sudo Project ≫ Sudo Version1.9.17 Update-
Canonical ≫ Ubuntu Linux Version22.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version24.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version24.10 SwEdition-
Canonical ≫ Ubuntu Linux Version25.04 SwEdition-
Debian ≫ Debian Linux Version11.0
Debian ≫ Debian Linux Version12.0
Debian ≫ Debian Linux Version13.0
Redhat ≫ Enterprise Linux Version10.0
Suse ≫ Linux Enterprise Desktop Version15 Updatesp6
Suse ≫ Linux Enterprise Desktop Version15 Updatesp7
Suse ≫ Linux Enterprise Real Time Version15.0 Updatesp2
Suse ≫ Linux Enterprise Real Time Version15.0 Updatesp6
Suse ≫ Linux Enterprise Real Time Version15.0 Updatesp7
Suse ≫ Linux Enterprise Server For Sap Version12 Updatesp6
Suse ≫ Linux Enterprise Server For Sap Version12 Updatesp7
29.09.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog
Sudo Inclusion of Functionality from Untrusted Control Sphere Vulnerability
VulnerabilitySudo contains an inclusion of functionality from untrusted control sphere vulnerability. This vulnerability could allow local attacker to leverage sudo’s -R (--chroot) option to run arbitrary commands as root, even if they are not listed in the sudoers file.
DescriptionApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Required actions| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 23.61% | 0.958 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 7.8 | 1.8 | 5.9 |
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| cve@mitre.org | 9.3 | 2.5 | 6 |
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
|
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.