On July 4th, 2025, an alert was triggered in LetsDefend (Event ID: 319) under rule SOC341 - Local Privilege Escalation via chroot CVE-2025-32463. This rule identifies suspicious activity involving misuse of the sudo -R flag, which in this case was executed within a Docker container on the host ubuntu-dev (IP: 172.16.20.56).
The alert indicates a possible exploitation attempt of CVE-2025-32463, a recently disclosed local privilege escalation vulnerability related to improper handling of the --chroot option in sudo. This vulnerability allows a low-privileged user to escape chroot environments and gain elevated privileges — a serious concern, especially in containerized environments.
The process tree shows dash spawning a bash session that runs the suspicious command sudo -R woot woot as root, a strong indicator of exploitation activity. Despite the suspicious command, the device action was marked as Allowed, prompting further investigation by the SOC team.
CVE-2025-32463 is a vulnerability found in the sudo command, which is used to run tasks as another user — usually root. This bug affects how the -R option (used for chroot environments) is handled.
In simple terms, an attacker who already has limited access to a system — like inside a Docker container or a restricted environment — can misuse sudo -R to break out of that restricted space and gain full root access on the actual system.
This means a user who should be trapped in a "safe area" of the system can escape and take full control — which is a serious security risk.
We can see the commands used on the target machine for priv escalation
This is the docker file used by the attacker during the exploitation