Twelve years. That's how long a vulnerability sat in sudo—the command powering every Linux system—waiting for the wrong hands. When Stratascale researchers Rich Mirch and Quentin Rhoads-Herrera discovered not one, but two zero-day vulnerabilities in sudo, millions of systems worldwide were at risk.
Go behind the scenes of a discovery that could have changed everything—but didn't, thanks to ethical research and responsible disclosure. Learn how a 12-year-old vulnerability went undetected in one of the world's most scrutinized open-source projects, why human curiosity still outpaces automated security tools, and the methodology behind discovering critical flaws in mature, battle-tested software.
Guests: Rich Mirch, Principal Security Researcher, Stratascale; Quentin Rhoads-Herrera, VP of Security Services, Stratascale
Stratascale is a wholly owned subsidiary of SHI International, delivering cutting-edge cybersecurity research and managed security services.
Show Notes & Resources
Read our blog announcing the vulnerabilities: https://www.stratascale.com/vulnerability-alert-CVE-2025-32462-sudo-host CVE Details: • CVE-2025-32462 - The 12-year sudo vulnerability • CVE-2025-32463 - The more severe chroot vulnerability
Key Timestamps: • [02:07] - Rich's discovery approach: assuming vulnerabilities exist • [08:03] - Quinton's validation process and initial disbelief • [13:31] - The "double take" moment of confirming the discovery • [21:21] - Dynamic vs. static testing methodology • [29:03] - Why offensive security research matters • [34:44] - Career advice for aspiring cybersecurity professionals
Learn More: When you need expert guidance on cybersecurity solutions and frameworks, trust SHI's Field CISOs and security experts. We help identify critical gaps, consolidate security platforms, and integrate AI into your cybersecurity practices. Learn more at https://www.shi.com/solutions/cybersecurity