CVE-2025-32462

low-risk

Published 2025-06-30

Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines.

Do I need to act?

21.7% chance of exploitation in next 30 days

EPSS score — higher than 78% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

1 public exploit available

52354

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 2.8/10 Low

LOCAL / HIGH complexity

Affected Products (2)

Sudo

Affected Vendors

Sudo Project

References (14)

https://access.redhat.com/security/cve/cve-2025-32462

https://bugs.gentoo.org/show_bug.cgi?id=CVE-2025-32462

https://explore.alas.aws.amazon.com/CVE-2025-32462.html

https://lists.debian.org/debian-security-announce/2025/msg00118.html

https://security-tracker.debian.org/tracker/CVE-2025-32462

https://ubuntu.com/security/notices/USN-7604-1

Mailing List https://www.openwall.com/lists/oss-security/2025/06/30/2

Third Party Advisory https://www.secpod.com/blog/sudo-lpe-vulnerabilities-resolved-what-you-need-to-k...

Exploit https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host

Release Notes https://www.sudo.ws/releases/changelog/

Vendor Advisory https://www.sudo.ws/security/advisories/

https://www.sudo.ws/security/advisories/host_any/

https://www.suse.com/security/cve/CVE-2025-32462.html

https://lists.debian.org/debian-lts-announce/2025/06/msg00033.html

/ 100

low-risk

Severity 7/34 · Low

Exploitability 14/34 · Moderate

Exposure 7/34 · Low