Two bugs for Linux Sudo utility patched, one rated  critical

Two local privilege vulnerabilities in the Sudo utility for Linux were recently discovered that could result in the escalation of privileges to root, which would let attackers fully take over an enterprise system.

Companies use the Sudo command-line tool on Linux systems to execute commands as the superuser. Sudo enforces the principle of least privilege, which lets users perform administrative tasks that require elevated permissions without sharing the root password.

In a June 30 Stratascale blog, the two bugs identified were CVE-2025-32462, which had a CVSS score of 2.8; and CVE-2025-32463, a critical bug that was assigned a CVSS of 9.3.

The vulnerabilities were patched in Sudo version 1.9.17p1 released late June, following responsible disclosure April 1. Advisories have also been issued by several Linux distributions, mainly because Sudo comes installed on many of them.

Security pros said teams should prioritize patching both bugs, even though only one of them received a critical CVSS rating.

“Both the recently disclosed Sudo vulnerabilities should be treated as priorities for resolution by organizations, as both enable potential elevation of user privileges and unintended execution of commands on impacted devices across an organizations environment,” said Ben Hutchison, associate principal consultant at Black Duck.  

Marc England, security consultant at Black Duck, added that the reason that CVE-2025-32462 received a lower CVSS score is because of the conditions that are needed. England said successful execution would require someone to make a misconfiguration and deploy a sudoers file with an incorrect host for this vulnerability to work: the error has to happen elsewhere to meet these conditions. 

“On the other hand, CVE-2025-32463, involves a local privilege escalation vector that doesn't require the user to be in the sudoers file,” said England.