Description
Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.
CVSS breakdown
CVSS 3.1
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None
Affected products
- Sudo project / Sudo1.8.8 – 1.9.17p1
References
- VENDOR_ADVISORYhttps://www.sudo.ws/security/advisories/
- MISChttps://www.sudo.ws/releases/changelog/
- MISChttps://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
- MAILING_LISThttps://www.openwall.com/lists/oss-security/2025/06/30/2
- VENDOR_ADVISORYhttps://ubuntu.com/security/notices/USN-7604-1
- MISChttps://www.secpod.com/blog/sudo-lpe-vulnerabilities-resolved-what-you-need-to-know-about-cve-2025-32462-and-cve-2025-32463/
- VENDOR_ADVISORYhttps://www.sudo.ws/security/advisories/host_any/
- MAILING_LISThttps://lists.debian.org/debian-security-announce/2025/msg00118.html
- MISChttps://explore.alas.aws.amazon.com/CVE-2025-32462.html
- MISChttps://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32462
- VENDOR_ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2025-32462
- MISChttps://www.suse.com/security/cve/CVE-2025-32462.html
- VENDOR_ADVISORYhttps://access.redhat.com/security/cve/cve-2025-32462