CVE-2025-32462 has received a lower CVSS score due to the conditions that are needed. Namely, successful execution would require someone to make a misconfiguration and deploy a Sudoers file with an incorrect host for this vulnerability to work.
APT36's focus on Linux-specific systems, particularly those used in government infrastructure, reinforces that no operating system is off-limits to nation-state attackers. This kind of multi-layered phishing attack highlights how threat actors are constantly evolving their tactics to quietly bypass defenses and exploit user trust.