The vulnerability CVE-2025-10541 affects iMonitor EAM version 9.63.94, specifically the eamusbsrv64.exe system service that runs with NT AUTHORITY\SYSTEM privileges. This service includes an insecure update mechanism that automatically loads files placed in the C:\sysupdate\ directory during system startup. The core issue is CWE-732: incorrect permission assignment for a critical resource. The C:\sysupdate\ directory is writable by any local user, allowing an attacker with local access to place malicious DLLs or executables into this directory. When the service restarts, it moves these files to the application’s installation directory and executes them with SYSTEM-level privileges. This results in a privilege escalation vulnerability, where an attacker can gain full control over the system. The vulnerability does not require user interaction but does require local access and low privileges initially. The CVSS 3.1 score is 7.8 (high), reflecting the ease of exploitation (local access with low privileges), no user interaction, and the critical impact on confidentiality, integrity, and availability. No patches or exploit code are currently publicly available, but the vulnerability is published and should be addressed promptly. The insecure update mechanism is a critical design flaw, and the lack of proper access controls on the update directory is the root cause.

For European organizations, this vulnerability poses a significant risk, especially in sectors where iMonitor EAM is deployed for asset management and monitoring, such as manufacturing, energy, and critical infrastructure. An attacker with local access—potentially through compromised credentials or insider threat—can escalate privileges to SYSTEM level, leading to full system compromise. This can result in unauthorized data access, manipulation, disruption of monitoring services, and potential lateral movement within networks. The high integrity and availability impact could disrupt operational technology environments, causing downtime or safety risks. Confidentiality breaches could expose sensitive operational data. The lack of known exploits currently limits immediate widespread impact, but the vulnerability’s nature makes it a prime target for attackers once exploit code is developed. Organizations relying on iMonitor EAM should consider this a critical risk to operational security and business continuity.

1. Immediately restrict permissions on the C:\sysupdate\ directory to prevent write access by non-administrative users. Use NTFS permissions to allow only SYSTEM and trusted administrators to write to this directory. 2. Monitor the directory for unauthorized file creation or modification using file integrity monitoring tools. 3. Implement application whitelisting to prevent execution of unauthorized binaries in the installation path. 4. Isolate systems running iMonitor EAM from untrusted users and networks to reduce the risk of local access by attackers. 5. Regularly audit local user accounts and privileges to minimize the number of users with local access. 6. Engage with iMonitor Software Inc. for patches or updates addressing this vulnerability and apply them promptly once available. 7. Consider deploying endpoint detection and response (EDR) solutions to detect suspicious activity related to service restarts or execution of unexpected binaries. 8. Educate system administrators about the risk and ensure secure configuration management practices are followed.