CVE-2025-13131 is a vulnerability identified in Sonarr version 4.0.15.2940, specifically related to incorrect default permissions set on the Sonarr.Console.exe service component located in C:\ProgramData\Sonarr\bin\. The vulnerability arises from a misconfiguration that allows local users with limited privileges to manipulate the service permissions. The attack vector requires local access with low privileges but does not require user interaction or authentication beyond that level. The core risk is that if an administrator or user intentionally or accidentally configures the Sonarr service to run under a highly privileged account, an attacker could exploit the incorrect permissions to escalate privileges, potentially gaining administrative control over the system. The vendor has confirmed the vulnerability but classifies it as low severity under default settings because the service runs under a default service user with limited privileges. However, the CVSS 4.0 score of 8.5 (high severity) reflects the potential impact if the service is misconfigured. The vulnerability does not affect confidentiality, integrity, or availability directly under default configurations but poses a significant risk if exploited in a misconfigured environment. No known exploits are currently in the wild, and a fix is planned for the next major release, Sonarr v5. The vulnerability is local-only, meaning remote exploitation is not possible without prior access.

For European organizations, the impact of CVE-2025-13131 depends heavily on their deployment and configuration of Sonarr. Organizations using Sonarr for media management or automation that run the service with elevated privileges are at risk of privilege escalation attacks, potentially leading to full system compromise. This could affect confidentiality and integrity of data on affected systems and disrupt availability if attackers manipulate or disable the service. Even though the vulnerability requires local access, insider threats or attackers who gain initial footholds through other means could leverage this flaw to escalate privileges. Given Sonarr's popularity among media enthusiasts and small to medium enterprises managing media servers, the risk is more pronounced in environments where endpoint security and local access controls are weak. The lack of remote exploitability limits the scope but does not eliminate risk, especially in environments with shared or poorly secured workstations.

European organizations should implement the following specific mitigations: (1) Audit and verify the service account under which Sonarr runs, ensuring it uses the default low-privilege service user and not a highly privileged account. (2) Restrict local access to systems running Sonarr to trusted users only, employing strict access controls and endpoint security measures. (3) Regularly review and harden file and service permissions related to Sonarr.Console.exe to prevent unauthorized modifications. (4) Monitor local system logs for unusual permission changes or service configuration modifications. (5) Plan and test the upgrade to Sonarr v5 once released, as it will include the official fix for this vulnerability. (6) Employ application whitelisting and endpoint protection solutions to detect and block unauthorized attempts to manipulate service permissions. (7) Educate system administrators and users about the risks of running services under elevated privileges unnecessarily.