CVE-2025-13131 identifies a permissions misconfiguration vulnerability in Sonarr 4.0.15.2940, specifically affecting the file Sonarr.Console.exe located in C:\ProgramData\Sonarr\bin\. The issue arises from incorrect default access control lists (ACLs) assigned to this executable, which is part of the Sonarr service component. This misconfiguration allows users with local access and low privileges to manipulate the service executable, potentially leading to privilege escalation or unauthorized service manipulation. The vulnerability does not require user interaction or authentication beyond local access, but to fully exploit it, an attacker would need to either change the service to run under a highly privileged account or already possess administrative rights. The vendor classifies the issue as low severity due to these constraints, but the CVSS 4.0 score of 8.5 (high) reflects the potential impact on confidentiality, integrity, and availability if exploited. The vulnerability has no known exploits in the wild as of now and is scheduled to be addressed in the next major release (v5). This vulnerability highlights the risk of improper default permissions on service executables, which can be a vector for local privilege escalation attacks in Windows environments.

For European organizations, the impact of CVE-2025-13131 primarily concerns environments where Sonarr is deployed for media management and where local user access controls are insufficiently restrictive. If exploited, an attacker with local access could manipulate the Sonarr service executable, potentially leading to privilege escalation or unauthorized service control. This could result in unauthorized access to media libraries, disruption of service availability, or use of the compromised system as a foothold for further lateral movement within the network. While the attack requires local access and some level of privilege, environments with shared workstations, weak endpoint security, or insider threats are particularly vulnerable. The impact on confidentiality, integrity, and availability is high if the vulnerability is exploited, as indicated by the CVSS score. European organizations with strict regulatory requirements around data protection and service availability should consider this a significant risk, especially in sectors where media servers are integrated with broader IT infrastructure.

To mitigate CVE-2025-13131, organizations should immediately audit and restrict the file system permissions on C:\ProgramData\Sonarr\bin\Sonarr.Console.exe to ensure that only authorized service accounts and administrators have write or modify access. Avoid running the Sonarr service under highly privileged accounts; maintain the default low-privilege service user. Implement strict local user access controls to prevent unauthorized local access. Employ endpoint detection and response (EDR) solutions to monitor for suspicious modifications to service executables. Regularly update Sonarr to the latest versions and plan to upgrade to Sonarr v5 once released, as it will include a fix for this vulnerability. Additionally, conduct user privilege reviews and enforce the principle of least privilege to minimize the risk of privilege escalation. Network segmentation can also limit the impact of a compromised local account. Finally, educate users about the risks of local privilege misuse and monitor logs for unusual service behavior.