CVE-2025-32462
BaseFortify
Publication date: 2025-06-30
Last updated on: 2025-11-03
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sudo_project | sudo | to 1.9.17 (exc) |
| sudo_project | sudo | 1.9.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-32462 is a vulnerability in sudo versions 1.8.8 through 1.9.17 where the host option (-h) can be misused. Normally, the -h option is only for listing sudo privileges on a different host, but due to a bug, it can be used when running commands or editing files. This causes the hostname field in sudoers rules to be ignored, allowing users with privileges on a specific host to execute commands on any host by specifying that host with -h, even if they lack privileges on the current host. This mainly affects environments with host-specific sudoers rules shared across multiple machines. [1]
How can this vulnerability impact me? :
This vulnerability can allow users who have sudo privileges on one specific host to execute commands on other unintended hosts where they normally would not have such privileges. This can lead to unauthorized command execution across multiple machines in environments using centralized or host-specific sudoers configurations, potentially compromising system security and control. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the sudo version installed on your systems. Versions from 1.8.8 through 1.9.17 inclusive are affected. To check the sudo version, run the command: sudo --version. Additionally, inspect your sudoers files for host-specific rules that specify hosts other than ALL. Look for entries that restrict sudo privileges to specific hosts. Since the vulnerability involves misuse of the -h option, you can also audit sudo command usage logs for instances where the -h option is used to specify a host different from the current one. For example, searching logs for 'sudo -h' usage may help identify exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to upgrade sudo to version 1.9.17p1 or later, where this vulnerability is fixed. If upgrading immediately is not possible, review and modify your sudoers files to avoid host-specific rules that restrict privileges to particular hosts, or ensure that sudoers files are not shared across multiple machines in a way that could be exploited. Also, monitor and restrict the use of the -h option in sudo commands if possible. [1]