// For flags

CVE-2025-32462

sudo: LPE via host option

Severity Score

2.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Track
*SSVC
Descriptions

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

A privilege escalation vulnerability was found in Sudo. In certain configurations, unauthorized users can gain elevated system privileges via the Sudo host option (`-h` or `--host`). When using the default sudo security policy plugin (sudoers), the host option is intended to be used in conjunction with the list option (`-l` or `--list`) to determine what permissions a user has on a different system. However, this restriction can be bypassed, allowing a user to elevate their privileges on one system to the privileges they may have on a different system, effectively ignoring the host identifier in any sudoers rules. This vulnerability is particularly impactful for systems that share a single sudoers configuration file across multiple computers or use network-based user directories, such as LDAP, to provide sudoers rules on a system.

Rich Mirch discovered that sudo, a program designed to provide limited super user privileges to specific users, does not correctly handle the host (-h or --host) option. Due to a bug the host option was not restricted to listing privileges only and could be used when running a command via sudo or editing a file with sudoedit. Depending on the rules present in the sudoers file the flaw might allow a local privilege escalation attack. For the stable distribution (bookworm), this problem has been fixed in version 1.9.13p3-1+deb12u2.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
High
Authentication
Single
Confidentiality
Complete
Integrity
Complete
Availability
Complete
* Common Vulnerability Scoring System
SSVC
  • Decision:Track
Exploitation
None
Automatable
No
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-04-09 CVE Reserved
  • 2025-06-30 CVE Published
  • 2025-07-01 CVE Updated
  • 2025-07-01 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-863: Incorrect Authorization
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Oracle
Search vendor "Oracle"
Linux
Search vendor "Oracle" for product "Linux"
*-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
*-
Affected
Sudo Project
Search vendor "Sudo Project"
Sudo
Search vendor "Sudo Project" for product "Sudo"
*-
Affected
Alma
Search vendor "Alma"
Linux
Search vendor "Alma" for product "Linux"
*-
Affected
Canonical
Search vendor "Canonical"
Ubuntu Linux
Search vendor "Canonical" for product "Ubuntu Linux"
*-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
*-
Affected
Freebsd
Search vendor "Freebsd"
Freebsd
Search vendor "Freebsd" for product "Freebsd"
*-
Affected
Opensuse
Search vendor "Opensuse"
Leap
Search vendor "Opensuse" for product "Leap"
*-
Affected
Oracle
Search vendor "Oracle"
Linux
Search vendor "Oracle" for product "Linux"
*-
Affected
Redhat
Search vendor "Redhat"
Enterprise Linux
Search vendor "Redhat" for product "Enterprise Linux"
*-
Affected
Redhat
Search vendor "Redhat"
Rhel Eus
Search vendor "Redhat" for product "Rhel Eus"
*-
Affected
Slackware
Search vendor "Slackware"
Slackware Linux
Search vendor "Slackware" for product "Slackware Linux"
*-
Affected
Suse
Search vendor "Suse"
Sle-module-basesystem
Search vendor "Suse" for product "Sle-module-basesystem"
*-
Affected
Suse
Search vendor "Suse"
Sle Hpc-espos
Search vendor "Suse" for product "Sle Hpc-espos"
*-
Affected
Suse
Search vendor "Suse"
Sle Hpc-ltss
Search vendor "Suse" for product "Sle Hpc-ltss"
*-
Affected
Suse
Search vendor "Suse"
Sle Hpc
Search vendor "Suse" for product "Sle Hpc"
*-
Affected
Suse
Search vendor "Suse"
Sled
Search vendor "Suse" for product "Sled"
*-
Affected
Suse
Search vendor "Suse"
Sles-ltss-extended-security
Search vendor "Suse" for product "Sles-ltss-extended-security"
*-
Affected
Suse
Search vendor "Suse"
Sles-ltss
Search vendor "Suse" for product "Sles-ltss"
*-
Affected
Suse
Search vendor "Suse"
Sles
Search vendor "Suse" for product "Sles"
*-
Affected
Suse
Search vendor "Suse"
Sles Sap
Search vendor "Suse" for product "Sles Sap"
*-
Affected
Suse
Search vendor "Suse"
Suse-manager-proxy
Search vendor "Suse" for product "Suse-manager-proxy"
*-
Affected
Suse
Search vendor "Suse"
Suse-manager-server
Search vendor "Suse" for product "Suse-manager-server"
*-
Affected