Critical Sudo Flaws Allow Local Privilege Escalation to Root on Linux Systems

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include:

1. Critical Sudo Flaws Allow Local Privilege Escalation to Root on Linux Systems
2. Exposed JDWP Interfaces Abused for RCE and Cryptojacking
3. Critical RCE Flaw in mcp-remote Enables Full System Compromise
4. New Variant of Atomic macOS Stealer (AMOS) with Persistent Backdoor
5. Widespread Qantas Breach Highlights Third-Party Risk and APT Threats

These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.

SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.

1. Critical Sudo Flaws Allow Local Privilege Escalation to Root on Linux Systems

Two severe vulnerabilities (CVE-2025-32462 and CVE-2025-32463) have been discovered in the sudo command-line tool. CVE-2025-32462 is a host-based configuration flaw allowing unintended command execution on various hosts due to a configuration oversight present for over 12 years (since sudo 1.8.8). CVE-2025-32463 is a high-risk local privilege escalation bug that enables unprivileged users to gain root access on Linux and Unix-like systems (including Ubuntu, macOS, AlmaLinux, Red Hat, and Debian) by exploiting the –chroot option, even in default sudo configurations.

Recommendations to mitigate this threat include immediately upgrading to sudo version 1.9.17p1 or later, ensuring all Linux distribution security patches are applied without delay. Additionally, organizations should audit their sudo configurations, specifically inspecting Host and Host_Alias in /etc/sudoers and /etc/sudoers.d/, and for LDAP setups, utilizing ldapsearch to verify sudo rules integrity. Given its deprecated status and associated risks, it’s strongly advised to discontinue reliance on the chroot option (-R). To confirm effectiveness, administrators should test their environments by verifying the sudo version and attempting restricted sudo operations in isolated test VMs. Continuous monitoring of the Sudo Security Advisory is crucial.

2. Exposed JDWP Interfaces Abused for RCE and Cryptojacking

Threat actors are actively exploiting exposed Java Debug Wire Protocol (JDWP) ports (typically TCP port 5005) to achieve remote code execution (RCE) and deploy customized XMRig cryptocurrency miners. JDWP, often enabled for debugging in CI/CD environments like TeamCity and Jenkins, lacks authentication, making misconfigured ports a critical RCE risk. Attackers establish a JDWP session, execute a curl command to fetch a dropper script, which then installs a stealthy, modified XMRig miner (disguised as logrotate), sets up persistence via cron jobs, and deletes forensic traces.

Recommendations to mitigate this threat include critically not exposing JDWP to the internet; access should be strictly restricted to localhost or private IPs. JDWP should be disabled on all production systems unless absolutely necessary. If required, robust access controls like firewalls or SSH tunnels must be implemented. Organizations should actively monitor for and alert on external connections to JDWP ports. A thorough audit of all Java-based services is recommended to identify accidental debug mode exposures. Security teams should be vigilant to terminate unauthorized curl downloads and monitor unusual file creation. Implementing behavior-based detection is key for mining tools, and regular patching of cloud environments is essential, alongside vigilance for indicators of compromise (IOCs).

3. Critical RCE Flaw in mcp-remote Enables Full System Compromise

A critical remote code execution (RCE) vulnerability (CVE-2025-6514, CVSS 9.6) in the mcp-remote tool (versions 0.0.5 to 0.1.15) allows arbitrary OS command execution on the client system when it connects to a malicious or untrusted Model Context Protocol (MCP) server. The flaw enables threat actors operating a malicious MCP server to embed specially crafted OS commands during the initial handshake/authorization, which are then executed on the client’s host OS (full RCE on Windows, arbitrary binary execution with limited parameter control on macOS/Linux).

Recommendations to mitigate this threat include immediate action to upgrade to mcp-remote version 0.1.16 or later to patch this critical vulnerability. Furthermore, it’s paramount that users only connect to trusted MCP servers and exclusively utilize secure protocols such as HTTPS for these connections. Organizations should actively monitor any systems still running older versions for suspicious communications with external servers. It’s strongly advised to avoid using mcp-remote in untrusted environments, or at minimum, to sandbox it to limit potential damage. Finally, implementing robust input validation and network-level access controls is essential to block connections to rogue MCP endpoints.

4. New Variant of Atomic macOS Stealer (AMOS) with Persistent Backdoor

An enhanced variant of the Atomic macOS Stealer (AMOS) malware has emerged, featuring an integrated persistent backdoor for remote command execution and long-term access to compromised Mac systems. This new version uses LaunchDaemon-based persistence and hides core binaries (.helper) and perpetual execution scripts (.agent) in the user’s home directory. It achieves privilege escalation by harvesting user passwords to install the LaunchDaemon and employs anti-analysis techniques like sandbox detection and string obfuscation. The malware, distributed via MaaS, phishing, and cracked software, targets cryptocurrency holders and freelancers across over 120 countries.

Recommendations to mitigate this threat include deploying advanced Endpoint Detection & Response (EDR) solutions across all macOS systems. User education is paramount; employees should be thoroughly trained to recognize and avoid phishing attempts and refrain from using cracked software. Enforcing strong, unique passwords and multi-factor authentication (MFA) for all accounts, particularly those associated with cryptocurrency or sensitive data, is critical. Regular software updates for macOS and all applications are essential. Security teams should actively monitor for new LaunchDaemons or unusual script execution. Network traffic should also be monitored for suspicious Command-and-Control (C2) infrastructure communications. Lastly, it’s advisable to limit administrative privileges for daily user accounts.

5. Widespread Qantas Breach Highlights Third-Party Risk and APT Threats

Qantas Airways disclosed a cyberattack affecting 5.7 million customers due to a breach in a third-party contact center platform. The attack, exhibiting tactics associated with the Scattered Spider threat group (UNC3944), resulted in the exfiltration of customer data including names, emails, frequent flyer information, and for a subset, addresses, phone numbers, DOBs, and meal preferences. No passwords, financial data, or passport details were compromised. Scattered Spider is suspected to be initiating extortion communications.

Recommendations to mitigate this threat include prioritizing robust third-party risk management by auditing platforms and ensuring vendors adhere to strict access control and zero-trust principles. In a breach, engaging a certified DFIR team is vital for investigation, system isolation, and network segmentation. Enhanced endpoint and identity security involves advanced EDR, MFA enforcement, and access reviews. Active threat hunting for Scattered Spider’s TTPs is essential. Organizations should also monitor dark web marketplaces for leaked data. Transparent customer communication is key, offering credit monitoring and support. Mandatory security awareness training for staff will improve detection. For long-term resilience, implementing a zero-trust architecture and continuous threat intelligence are advised. Affected customers should be wary of phishing emails, monitor loyalty accounts and credit, update passwords, enable MFA, and ignore scam compensation calls.