A critical vulnerability, identified as CVE-2025-65807, has been discovered in the 'sd command' utility, affecting multiple products. This flaw allows a local attacker with basic user permissions to gain full administrative (root) control over a vulnerable system by executing a specially crafted command. Successful exploitation could lead to a complete system compromise, enabling data theft, service disruption, and further network intrusion.

This is a local privilege escalation vulnerability. The sd command fails to properly sanitize user-supplied input when processing commands. A local, unprivileged attacker can provide a crafted command string that includes malicious shell metacharacters or commands. The sd utility, if running with elevated privileges (e.g., as a SUID binary), will execute this malicious payload with root permissions, granting the attacker a root shell and complete control over the system.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would result in a complete compromise of the affected system's confidentiality, integrity, and availability. An attacker with root access can steal or modify sensitive data, install persistent malware such as ransomware or rootkits, disrupt critical business operations, and use the compromised machine as a pivot point to attack other systems within the network. This poses a severe risk to operational stability, data security, and regulatory compliance.

Immediate Action:

• Immediately apply the vendor-supplied security update. The primary remediation is to Update An issue in sd command Multiple Products to the latest version.
• After patching, monitor for exploitation attempts and review access logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring:

• Log Analysis: Review system audit logs (e.g., auditd), command history logs (e.g., .bash_history), and system logs for unusual or malformed invocations of the sd command.
• Process Monitoring: Monitor for anomalous child processes spawned by the sd command, particularly shells (/bin/sh, /bin/bash) or network utilities running with root privileges.
• Endpoint Detection and Response (EDR): Utilize EDR solutions to detect common privilege escalation techniques and unauthorized command execution.

Compensating Controls:

• Restrict Access: If patching is not immediately feasible, restrict access to the sd command binary to only trusted administrative users.
• Remove SUID Bit: If the sd binary has the SUID bit set, consider temporarily removing it (chmod u-s /path/to/sd) to prevent execution with root privileges. Note that this may impact the application's intended functionality.
• Principle of Least Privilege: Ensure that user accounts and services operate with the minimum level of privilege necessary for their function.

Public Exploit Available: false

This vulnerability represents a critical risk to the organization. Due to the high CVSS score of 9.8, immediate action is required. Although CVE-2025-65807 is not currently listed on the CISA KEV (Known Exploited Vulnerabilities) catalog, its severity warrants treating it with the highest priority. We strongly recommend applying the vendor-provided patches to all affected systems immediately. If patching is delayed, implement the compensating controls and increase monitoring for any signs of exploitation.