A critical vulnerability was recently identified in the widely-used sudo utility, affecting systems that rely on host-based rules in the sudoers file. Known as CVE‑2025‑32462, this bug allows low-privileged local users to escalate to root by abusing the -h/--host option. Discovered by Rich Mirch of Stratascale and present in sudo for over a decade, this flaw highlights the need for diligent patching—even in mature tools like sudo.

In the blog post, we’ll cover what the issue is, how it works, how to detect it, and most importantly, how to fix it.

• What’s Going On?
• Who Is at Risk?
• How It Works
• Detection & Testing
• Fix and Recommendations
• Conclusion

What’s Going On?

• The -h/--host flag in sudo was originally intended to list how a user’s permissions apply on different hosts—not for executing commands.
• Due to a logic oversight, this flag could be misused to apply permissions from a different host context, effectively bypassing host-based restrictions in the sudoers file.

Who Is at Risk?

• Environments using host-based sudoers rules, especially with Host or Host_Alias directives—typical in LDAP or multi-machine setups.
• All versions of sudo from 1.8.8 up to, but not including, 1.9.17p1.
• Affects major Linux distributions (Ubuntu, Debian, Red Hat, SUSE, Alpine, Amazon Linux, etc.) and Unix-like systems including macOS.

How It Works

• An attacker with a low-privileged account on hostA uses:

sudo -h hostB <allowed-command>

• sudo applies permissions intended for hostB, not hostA.
• Even if the user is restricted on hostA, they can now run root commands that are permitted on hostB.

Detection & Testing

• Search your sudoers and /etc/sudoers.d/ files for Host or Host_Alias directives.
• Attempt the exploit by running a harmless command with -h to test if host-based rules are enforced.

Example:

sudo -h <trusted-host> -l

If host-based restrictions don’t apply as expected, your sudo version is vulnerable.

Fix and Recommendations

• Upgrade sudo to v1.9.17p1 or later using your distro’s package manager.
• Review sudoers configurations—minimize the use of host-based rules.
• For added security, monitor sudo usage and consider removing the -h option or move toward centralized authorization (e.g., LDAP).

Conclusion

This vulnerability shows that even seasoned tools like sudo can harbor high-impact bugs when new flags are introduced. If your setup uses host-specific rules in sudoers, your systems are at risk unless updated.

Next steps:

• Patch systems immediately to v1.9.17p1 or newer.
• Audit sudoers for host-based policies.
• Continue security reviews for foundational tools.

📝 For more information about this vulnerability, please review this article.