A security vulnerability was reported in the FreeBSD operating system. Two significant vulnerabilities were identified in Linux and Mac OS systems allowing local users to quickly esclate privledges, disable security measures, and move deeper into the network. Those vulnerabilities are detailed below. A patched version of sudo will be available to to be rolled out as early as July 21st, 2025 to our Customers. Please contact our support team to schedule an update.
A closer look at each vulnerability
CVE-2025-32462 — “Policy-Check Flaw”
The -h / –host option in sudo was intended only for sudo -l (listing privileges). In affected versions, it could be added to any command. This tricked sudo into thinking it was on a permitted host, allowing someone with even minimal sudo access to run commands as root, bypassing host-specific rules.
The fix ensures -h is rejected unless used with -l.
CVE-2025-32463 — “chroot to root”
This issue involves sudo’s -R / –chroot option. Older versions would switch into the specified directory before fully evaluating privileges. An attacker could prepare a writable directory (for example under /tmp), place a fake /etc/nsswitch.conf and a malicious libnss_*.so library there, and then invoke sudo. Sudo would load the attacker’s code as root.
The latest sudo release disables this chroot behavior during policy checks.
Affected Versions and Resolution Plan
We have outlined who and what steps are needed for our customers to address this security concern. The corrective steps will depend on what version of software you are using.
Product
Version
Resolution Plan
Sippy Softswitch
2020
update to the latest Sippy Softswitch 2021
Sippy Softswitch
2021
Update to the latest Sippy Softswitch 2021
Sippy Softswitch
2022
Update to the latest Sippy Softswitch 2022
Sippy Softswitch
2023
Update to the latest Sippy Softswitch 2023
Sippy Freightswitch
Testing
Update to the latest Version
Next steps
Customers on Flex Licenses and Active Support agreements will be eligible for the patch and will be performed on a priority basis. Customers on Sippy Softswitch v2020 or earlier or do not currently have a support agreement are directed to contact sales@sippysoft.com for further instructions.
Phillip Ma
Dear Valued Sippy Customer,
A security vulnerability was reported in the FreeBSD operating system. Two significant vulnerabilities were identified in Linux and Mac OS systems allowing local users to quickly esclate privledges, disable security measures, and move deeper into the network. Those vulnerabilities are detailed below. A patched version of sudo will be available to to be rolled out as early as July 21st, 2025 to our Customers. Please contact our support team to schedule an update.
A closer look at each vulnerability
CVE-2025-32462 — “Policy-Check Flaw”
The -h / –host option in sudo was intended only for sudo -l (listing privileges). In affected versions, it could be added to any command. This tricked sudo into thinking it was on a permitted host, allowing someone with even minimal sudo access to run commands as root, bypassing host-specific rules.
The fix ensures -h is rejected unless used with -l.
CVE-2025-32463 — “chroot to root”
This issue involves sudo’s -R / –chroot option. Older versions would switch into the specified directory before fully evaluating privileges. An attacker could prepare a writable directory (for example under /tmp), place a fake /etc/nsswitch.conf and a malicious libnss_*.so library there, and then invoke sudo. Sudo would load the attacker’s code as root.
The latest sudo release disables this chroot behavior during policy checks.
Affected Versions and Resolution Plan
We have outlined who and what steps are needed for our customers to address this security concern. The corrective steps will depend on what version of software you are using.
Next steps
Customers on Flex Licenses and Active Support agreements will be eligible for the patch and will be performed on a priority basis. Customers on Sippy Softswitch v2020 or earlier or do not currently have a support agreement are directed to contact sales@sippysoft.com for further instructions.
Sincerely,
Phillip Ma
Product Manager
Sippy Software.