CVE-2025-46715 is a high-severity vulnerability classified under CWE-787 (Out-of-bounds Write) affecting Sandboxie, a sandbox-based isolation software for Windows NT-based operating systems. The flaw exists in versions starting from 1.3.0 up to but not including 1.15.12. The vulnerability arises because the function Api_GetSecureParam fails to properly sanitize incoming pointers, implicitly trusting that the pointer passed by the user is safe for writing. Specifically, the GetRegValue function writes the contents of a selected Sandboxie registry entry to the user-supplied pointer address. An attacker can exploit this by passing a kernel pointer, causing the driver to write registry key contents to arbitrary kernel memory locations. This can be triggered by any user on the system, including low integrity Windows processes, without requiring user interaction. The vulnerability allows an attacker with low privileges to perform out-of-bounds writes in kernel memory, potentially leading to privilege escalation, arbitrary code execution in kernel mode, or system instability. The issue was fixed in Sandboxie version 1.15.12. The CVSS v3.1 score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring low privileges but no user interaction. No known exploits are currently reported in the wild, but the nature of the vulnerability makes it a significant risk if exploited.

For European organizations, this vulnerability poses a serious risk, especially for those using Sandboxie for application isolation, malware analysis, or secure browsing environments. Successful exploitation could allow attackers to escalate privileges from low-integrity processes to kernel-level code execution, bypassing security controls and potentially compromising sensitive data, disrupting critical systems, or deploying persistent malware. This is particularly concerning for sectors with high security requirements such as finance, healthcare, government, and critical infrastructure. The ability for low-privilege users or malware to exploit this flaw increases the attack surface within corporate networks. Additionally, since Sandboxie is used to isolate untrusted code, a compromise here undermines the fundamental security guarantees of sandboxing, potentially allowing attackers to escape containment and affect the host system. The lack of required user interaction and the low complexity of exploitation further elevate the threat level for European enterprises relying on this software.

European organizations should immediately verify their use of Sandboxie and identify any installations running versions between 1.3.0 and 1.15.11 inclusive. The primary mitigation is to upgrade Sandboxie to version 1.15.12 or later, where the vulnerability is patched. If immediate upgrade is not feasible, organizations should restrict access to Sandboxie usage to trusted users only and implement strict process and memory access controls to limit the ability of low-integrity processes to interact with the Sandboxie driver. Employing endpoint detection and response (EDR) solutions to monitor for suspicious kernel memory writes or unusual Sandboxie activity can help detect exploitation attempts. Additionally, applying the principle of least privilege to user accounts and sandboxed processes reduces the risk of exploitation. Network segmentation and application whitelisting can further limit the impact of a successful attack. Finally, organizations should stay alert for any emerging exploit code or indicators of compromise related to this CVE and update their incident response plans accordingly.