CVE-2025-10541 is a critical vulnerability identified in iMonitor Software Inc.'s iMonitor EAM version 9.63.94. The vulnerability arises from improper permission assignment (CWE-732) on a critical system resource used by the application. Specifically, the software installs a system service named 'eamusbsrv64.exe' that runs with NT AUTHORITY\SYSTEM privileges, the highest level of privilege on Windows systems. This service uses an insecure update mechanism that automatically loads files placed in the C:\sysupdate\ directory during system startup. The core issue is that this directory is writable by any local user, allowing an attacker with local access to place malicious DLLs or executables into this directory. Upon the service restart, these files are moved to the application’s installation directory and executed with SYSTEM privileges. This results in a privilege escalation vulnerability, where an attacker with low-level access can gain full system control. The vulnerability does not require user interaction beyond local access and does not currently have known exploits in the wild. However, the impact of exploitation is severe due to the SYSTEM-level execution context. No CVSS score has been assigned yet, and no patches have been published at the time of this report. The vulnerability was publicly disclosed on September 25, 2025.

For European organizations, this vulnerability poses a significant risk, especially in environments where iMonitor EAM is deployed for enterprise asset management. Successful exploitation allows an attacker with local access to escalate privileges to SYSTEM level, potentially leading to full system compromise. This can result in unauthorized access to sensitive data, disruption of critical asset management operations, and lateral movement within the network. Organizations in sectors such as manufacturing, utilities, and critical infrastructure that rely on iMonitor EAM for operational technology (OT) or IT asset management are particularly at risk. The vulnerability could be exploited by malicious insiders or attackers who have gained initial foothold through phishing or other means. Given the SYSTEM-level privileges, attackers could disable security controls, install persistent malware, or exfiltrate confidential information. The lack of a patch increases the urgency for mitigation. Additionally, the vulnerability's exploitation does not require user interaction beyond local access, increasing the risk in environments with multiple users or shared workstations.

To mitigate this vulnerability, European organizations should immediately restrict write permissions to the C:\sysupdate\ directory to trusted administrators only, preventing unauthorized users from placing malicious files there. Implementing strict access control lists (ACLs) on this directory is critical. Until a vendor patch is available, organizations should consider disabling or stopping the 'eamusbsrv64.exe' service if it is not essential for operations, or running it with reduced privileges if possible. Monitoring the C:\sysupdate\ directory for unauthorized file creation or modification can provide early detection of exploitation attempts. Employing application whitelisting to prevent execution of unauthorized binaries and DLLs can also reduce risk. Organizations should conduct thorough audits of local user permissions and limit local administrative rights to reduce the attack surface. Additionally, network segmentation and endpoint detection and response (EDR) solutions can help detect and contain any exploitation attempts. Finally, organizations should maintain close communication with iMonitor Software Inc. for timely patch releases and apply updates as soon as they become available.