CVE-2025-13130 identifies a security vulnerability in Radarr version 5.28.0.10274, specifically related to incorrect default permissions assigned to the Radarr.Console.exe executable located in C:\ProgramData\Radarr\bin\. This misconfiguration allows a local attacker with low privileges to manipulate the permissions of this service component. Because the executable is part of the Radarr service, improper permissions can lead to unauthorized modification or replacement of the executable, potentially enabling privilege escalation or execution of arbitrary code with elevated rights. The attack vector is limited to local access, meaning an attacker must already have some level of access to the system, but no further authentication or user interaction is required. The vulnerability does not affect network attack vectors directly but poses a significant risk in environments where multiple users share the same system or where local access can be gained through other means. The vendor was contacted about this issue but did not respond, and no patches or mitigations have been officially released. The CVSS 4.0 base score of 8.5 reflects the vulnerability’s high impact on confidentiality, integrity, and availability, combined with low attack complexity and no need for user interaction. Although no known exploits are currently in the wild, the vulnerability represents a critical risk for systems running the affected Radarr version, especially in multi-user or less controlled environments.

For European organizations, the impact of CVE-2025-13130 can be significant, especially in environments where Radarr is used on shared or multi-user systems such as media servers in corporate or educational institutions. Unauthorized modification of the Radarr service executable could lead to privilege escalation, allowing attackers to gain higher system privileges, execute arbitrary code, or disrupt service availability. This could compromise system integrity and confidentiality, particularly if Radarr is integrated with other services or stores sensitive configuration data. The local access requirement limits remote exploitation but does not eliminate risk, as attackers could leverage other vulnerabilities or social engineering to gain local access. The lack of vendor response and patches increases the window of exposure. European organizations with less stringent local access controls or those using Radarr in critical environments face a higher risk of exploitation, potentially leading to operational disruption or data breaches.

To mitigate this vulnerability, European organizations should immediately audit and restrict file system permissions on the Radarr.Console.exe executable and related service files to ensure only trusted administrators have write access. Implement strict local access controls and user account management to limit the number of users with local access to systems running Radarr. Employ application whitelisting and integrity monitoring tools to detect unauthorized changes to Radarr binaries. Consider running Radarr under a dedicated service account with minimal privileges and isolate it from other critical services. Regularly monitor system logs for suspicious permission changes or execution patterns. Until an official patch is released, organizations may also consider temporarily disabling Radarr or restricting its use to trusted environments. Engage with the Radarr community or security forums for any unofficial patches or workarounds. Finally, maintain a robust endpoint detection and response (EDR) capability to detect potential exploitation attempts.